From f59b4ac6fced0e9b08bc413922922d42b3e127af Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 1 Jul 2018 12:09:13 +0200 Subject: [PATCH] 4.17-stable patches added patches: arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch arm-dts-fix-spi-node-for-arria10.patch arm-dts-socfpga-fix-nand-controller-clock-supply.patch arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch arm-dts-socfpga-fix-nand-controller-node-compatible.patch arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vcc-1v2-regulator-voltage.patch arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vdd-cpux-voltage.patch arm64-dts-marvell-fix-cp110-icu-node-size.patch arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch arm64-dts-meson-gx-fix-atf-reserved-memory-region.patch arm64-dts-stratix10-fix-spi-nodes-for-stratix10.patch arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch arm64-kpti-use-early_param-for-kpti-command-line-option.patch arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch branch-check-fix-long-int-truncation-when-profiling-branches.patch clk-aspeed-fix-reset-bits-for-pci-vga-and-peci.patch cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch crypto-arm64-aes-blk-fix-and-move-skcipher_walk_done-out-of-kernel_neon_begin-_end.patch cxl-configure-psl-to-not-use-apc-virtual-machines.patch cxl-disable-prefault_mode-in-radix-mode.patch efi-libstub-tpm-initialize-efi_physical_addr_t-vars-to-zero-for-mixed-mode.patch fuse-atomic_o_trunc-should-truncate-pagecache.patch fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch fuse-fix-congested-state-leak-on-aborted-connections.patch fuse-fix-control-dir-setup-and-teardown.patch hwrng-core-always-drop-the-rng-in-hwrng_unregister.patch ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch ib-hfi1-fix-fault-injection-init-exit-issues.patch ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch ib-hfi1-qib-add-handling-of-kernel-restart.patch ib-hfi1-reorder-incorrect-send-context-disable.patch ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch ib-isert-fix-t10-pi-check-mask-setting.patch ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch ib-qib-fix-dma-api-warning-with-debug-kernel.patch ib-uverbs-fix-ordering-of-ucontext-check-in-ib_uverbs_write.patch ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch libnvdimm-pmem-do-not-flush-power-fail-protected-cpu-caches.patch mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch mtd-rawnand-all-ac-chips-have-a-broken-get_features-timings.patch mtd-rawnand-denali_dt-set-clk_x_rate-to-200-mhz-unconditionally.patch mtd-rawnand-do-not-check-fail-bit-when-executing-a-set_features-op.patch mtd-rawnand-fix-return-value-check-for-bad-block-status.patch mtd-rawnand-micron-add-onfi_feature_on_die_ecc-to-supported-features.patch mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch of-overlay-validate-offset-from-property-fixups.patch of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch pci-account-for-all-bridges-on-bus-when-distributing-bus-numbers.patch pci-add-acs-quirk-for-intel-300-series.patch pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch pci-hv-make-sure-the-bus-domain-is-really-unique.patch pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch powerpc-64s-fix-dt-cpu-features-power9-dd2.1-logic.patch powerpc-64s-radix-fix-radix_kvm_prefetch_workaround-paca-access-of-not-possible-cpu.patch powerpc-e500mc-set-assembler-machine-type-to-e500mc.patch powerpc-fadump-unregister-fadump-on-kexec-down-path.patch powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch powerpc-pkeys-detach-execute_only-key-on-prot_exec.patch powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch printk-fix-possible-reuse-of-va_list-variable.patch rdma-core-save-kernel-caller-name-when-creating-cq-using-ib_create_cq.patch rdma-mlx4-discard-unknown-sqp-work-requests.patch soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch softirq-reorder-trace_softirqs_on-to-prevent-lockdep-splat.patch tpm-fix-race-condition-in-tpm_common_write.patch tpm-fix-use-after-free-in-tpm2_load_context.patch xprtrdma-return-enobufs-when-no-pages-are-available.patch --- ...so-that-gdb_regs-is-the-correct-size.patch | 45 ++++++ .../arm-dts-fix-spi-node-for-arria10.patch | 35 ++++ ...pga-fix-nand-controller-clock-supply.patch | 36 +++++ ...ntroller-node-compatible-for-arria10.patch | 32 ++++ ...-fix-nand-controller-node-compatible.patch | 35 ++++ ...-cc-h3-ver-vcc-1v2-regulator-voltage.patch | 38 +++++ ...ix-all-h3-cc-h3-ver-vdd-cpux-voltage.patch | 38 +++++ ...-dts-marvell-fix-cp110-icu-node-size.patch | 34 ++++ ...ble-sd-uhs-modes-on-the-libretech-cc.patch | 44 +++++ ...on-gx-fix-atf-reserved-memory-region.patch | 58 +++++++ ...tratix10-fix-spi-nodes-for-stratix10.patch | 45 ++++++ ...g-around-signal-suppressed-by-tracer.patch | 72 +++++++++ ...y_param-for-kpti-command-line-option.patch | 39 +++++ ...red-wrt-subsequent-cache-maintenance.patch | 44 +++++ ...tch-failure-with-userspace-fw-loader.patch | 42 +++++ ...t-truncation-when-profiling-branches.patch | 41 +++++ ...-fix-reset-bits-for-pci-vga-and-peci.patch | 57 +++++++ ...n-from-snooze-if-next-state-disabled.patch | 146 +++++++++++++++++ ...k_done-out-of-kernel_neon_begin-_end.patch | 68 ++++++++ ...-psl-to-not-use-apc-virtual-machines.patch | 41 +++++ ...-disable-prefault_mode-in-radix-mode.patch | 100 ++++++++++++ ...l_addr_t-vars-to-zero-for-mixed-mode.patch | 52 ++++++ ...ic_o_trunc-should-truncate-pagecache.patch | 52 ++++++ ...ep-dead-fuse_conn-at-fuse_fill_super.patch | 41 +++++ ...ed-state-leak-on-aborted-connections.patch | 49 ++++++ ...e-fix-control-dir-setup-and-teardown.patch | 68 ++++++++ ...ays-drop-the-rng-in-hwrng_unregister.patch | 60 +++++++ ...writability-a-static-inline-function.patch | 68 ++++++++ ...fix-fault-injection-init-exit-issues.patch | 122 ++++++++++++++ ...ontext-tail-allocation-for-dma_rtail.patch | 123 ++++++++++++++ ...nter-locking-when-queuing-cq-entries.patch | 119 ++++++++++++++ ...1-qib-add-handling-of-kernel-restart.patch | 134 +++++++++++++++ ...order-incorrect-send-context-disable.patch | 123 ++++++++++++++ ...for-lib-dma_debug-check_sync-warning.patch | 114 +++++++++++++ ...-isert-fix-t10-pi-check-mask-setting.patch | 37 +++++ ...if-actual-virtual-memory-is-writable.patch | 120 ++++++++++++++ ...etch-soft-wqe-s-on-fatal-error-state.patch | 82 ++++++++++ ...ix-dma-api-warning-with-debug-kernel.patch | 153 ++++++++++++++++++ ...of-ucontext-check-in-ib_uverbs_write.patch | 57 +++++++ ...ut-before-doing-a-capabilities-check.patch | 42 +++++ ...lush-power-fail-protected-cpu-caches.patch | 47 ++++++ ...k-core-externalsync-for-pcie-erratum.patch | 84 ++++++++++ ...oid-walking-all-chips-when-unlocking.patch | 33 ++++ ...e-erase-functions-to-retry-for-error.patch | 91 +++++++++++ ...-write-buffer-to-check-correct-value.patch | 45 ++++++ ...02-fix-segv-unlocking-multiple-chips.patch | 54 +++++++ ...ing-requests-crossing-a-chip-boudary.patch | 36 +++++ ...0002-use-right-chip-in-do_ppb_xxlock.patch | 57 +++++++ ...s-have-a-broken-get_features-timings.patch | 85 ++++++++++ ...lk_x_rate-to-200-mhz-unconditionally.patch | 49 ++++++ ...bit-when-executing-a-set_features-op.patch | 84 ++++++++++ ...urn-value-check-for-bad-block-status.patch | 37 +++++ ...ure_on_die_ecc-to-supported-features.patch | 35 ++++ ...-spare-area-size-register-explicitly.patch | 64 ++++++++ ...validate-offset-from-property-fixups.patch | 41 +++++ ...id-dev-in-of_platform_device_destroy.patch | 120 ++++++++++++++ ...-trailing-0-in-property-length-field.patch | 63 ++++++++ ...on-bus-when-distributing-bus-numbers.patch | 110 +++++++++++++ ...i-add-acs-quirk-for-intel-300-series.patch | 43 +++++ ...s-quirk-for-intel-7th-8th-gen-mobile.patch | 56 +++++++ ...sure-the-bus-domain-is-really-unique.patch | 67 ++++++++ ...-link-layer-status-changed-on-resume.patch | 83 ++++++++++ ...x-dt-cpu-features-power9-dd2.1-logic.patch | 42 +++++ ...ound-paca-access-of-not-possible-cpu.patch | 35 ++++ ...set-assembler-machine-type-to-e500mc.patch | 50 ++++++ ...unregister-fadump-on-kexec-down-path.patch | 39 +++++ ...ync-prior-to-kernel-stack-slb-switch.patch | 63 ++++++++ ...-core-imc-based-on-num_possible_cpus.patch | 92 +++++++++++ ...detach-execute_only-key-on-prot_exec.patch | 42 +++++ ...powernv-copy-paste-mask-so-bit-in-cr.patch | 34 ++++ ...nit-all-present-cpus-for-deep-states.patch | 48 ++++++ ...2-remove-redundant-free-of-tce-pages.patch | 45 ++++++ ...-fix-enforcement-of-dawr-constraints.patch | 41 +++++ ...breakpoints-with-ptrace_set_debugreg.patch | 42 +++++ ...x-possible-reuse-of-va_list-variable.patch | 52 ++++++ ...-when-creating-cq-using-ib_create_cq.patch | 121 ++++++++++++++ ...x4-discard-unknown-sqp-work-requests.patch | 32 ++++ queue-4.17/series | 82 ++++++++++ ...alue-when-power-up-pd-with-writemask.patch | 37 +++++ ...softirqs_on-to-prevent-lockdep-splat.patch | 97 +++++++++++ ...x-race-condition-in-tpm_common_write.patch | 139 ++++++++++++++++ ...-use-after-free-in-tpm2_load_context.patch | 36 +++++ ...-enobufs-when-no-pages-are-available.patch | 35 ++++ 83 files changed, 5294 insertions(+) create mode 100644 queue-4.17/arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch create mode 100644 queue-4.17/arm-dts-fix-spi-node-for-arria10.patch create mode 100644 queue-4.17/arm-dts-socfpga-fix-nand-controller-clock-supply.patch create mode 100644 queue-4.17/arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch create mode 100644 queue-4.17/arm-dts-socfpga-fix-nand-controller-node-compatible.patch create mode 100644 queue-4.17/arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vcc-1v2-regulator-voltage.patch create mode 100644 queue-4.17/arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vdd-cpux-voltage.patch create mode 100644 queue-4.17/arm64-dts-marvell-fix-cp110-icu-node-size.patch create mode 100644 queue-4.17/arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch create mode 100644 queue-4.17/arm64-dts-meson-gx-fix-atf-reserved-memory-region.patch create mode 100644 queue-4.17/arm64-dts-stratix10-fix-spi-nodes-for-stratix10.patch create mode 100644 queue-4.17/arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch create mode 100644 queue-4.17/arm64-kpti-use-early_param-for-kpti-command-line-option.patch create mode 100644 queue-4.17/arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch create mode 100644 queue-4.17/bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch create mode 100644 queue-4.17/branch-check-fix-long-int-truncation-when-profiling-branches.patch create mode 100644 queue-4.17/clk-aspeed-fix-reset-bits-for-pci-vga-and-peci.patch create mode 100644 queue-4.17/cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch create mode 100644 queue-4.17/crypto-arm64-aes-blk-fix-and-move-skcipher_walk_done-out-of-kernel_neon_begin-_end.patch create mode 100644 queue-4.17/cxl-configure-psl-to-not-use-apc-virtual-machines.patch create mode 100644 queue-4.17/cxl-disable-prefault_mode-in-radix-mode.patch create mode 100644 queue-4.17/efi-libstub-tpm-initialize-efi_physical_addr_t-vars-to-zero-for-mixed-mode.patch create mode 100644 queue-4.17/fuse-atomic_o_trunc-should-truncate-pagecache.patch create mode 100644 queue-4.17/fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch create mode 100644 queue-4.17/fuse-fix-congested-state-leak-on-aborted-connections.patch create mode 100644 queue-4.17/fuse-fix-control-dir-setup-and-teardown.patch create mode 100644 queue-4.17/hwrng-core-always-drop-the-rng-in-hwrng_unregister.patch create mode 100644 queue-4.17/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch create mode 100644 queue-4.17/ib-hfi1-fix-fault-injection-init-exit-issues.patch create mode 100644 queue-4.17/ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch create mode 100644 queue-4.17/ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch create mode 100644 queue-4.17/ib-hfi1-qib-add-handling-of-kernel-restart.patch create mode 100644 queue-4.17/ib-hfi1-reorder-incorrect-send-context-disable.patch create mode 100644 queue-4.17/ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch create mode 100644 queue-4.17/ib-isert-fix-t10-pi-check-mask-setting.patch create mode 100644 queue-4.17/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch create mode 100644 queue-4.17/ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch create mode 100644 queue-4.17/ib-qib-fix-dma-api-warning-with-debug-kernel.patch create mode 100644 queue-4.17/ib-uverbs-fix-ordering-of-ucontext-check-in-ib_uverbs_write.patch create mode 100644 queue-4.17/ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch create mode 100644 queue-4.17/libnvdimm-pmem-do-not-flush-power-fail-protected-cpu-caches.patch create mode 100644 queue-4.17/mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch create mode 100644 queue-4.17/mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch create mode 100644 queue-4.17/mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch create mode 100644 queue-4.17/mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch create mode 100644 queue-4.17/mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch create mode 100644 queue-4.17/mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch create mode 100644 queue-4.17/mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch create mode 100644 queue-4.17/mtd-rawnand-all-ac-chips-have-a-broken-get_features-timings.patch create mode 100644 queue-4.17/mtd-rawnand-denali_dt-set-clk_x_rate-to-200-mhz-unconditionally.patch create mode 100644 queue-4.17/mtd-rawnand-do-not-check-fail-bit-when-executing-a-set_features-op.patch create mode 100644 queue-4.17/mtd-rawnand-fix-return-value-check-for-bad-block-status.patch create mode 100644 queue-4.17/mtd-rawnand-micron-add-onfi_feature_on_die_ecc-to-supported-features.patch create mode 100644 queue-4.17/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch create mode 100644 queue-4.17/of-overlay-validate-offset-from-property-fixups.patch create mode 100644 queue-4.17/of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch create mode 100644 queue-4.17/of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch create mode 100644 queue-4.17/pci-account-for-all-bridges-on-bus-when-distributing-bus-numbers.patch create mode 100644 queue-4.17/pci-add-acs-quirk-for-intel-300-series.patch create mode 100644 queue-4.17/pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch create mode 100644 queue-4.17/pci-hv-make-sure-the-bus-domain-is-really-unique.patch create mode 100644 queue-4.17/pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch create mode 100644 queue-4.17/powerpc-64s-fix-dt-cpu-features-power9-dd2.1-logic.patch create mode 100644 queue-4.17/powerpc-64s-radix-fix-radix_kvm_prefetch_workaround-paca-access-of-not-possible-cpu.patch create mode 100644 queue-4.17/powerpc-e500mc-set-assembler-machine-type-to-e500mc.patch create mode 100644 queue-4.17/powerpc-fadump-unregister-fadump-on-kexec-down-path.patch create mode 100644 queue-4.17/powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch create mode 100644 queue-4.17/powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch create mode 100644 queue-4.17/powerpc-pkeys-detach-execute_only-key-on-prot_exec.patch create mode 100644 queue-4.17/powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch create mode 100644 queue-4.17/powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch create mode 100644 queue-4.17/powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch create mode 100644 queue-4.17/powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch create mode 100644 queue-4.17/powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch create mode 100644 queue-4.17/printk-fix-possible-reuse-of-va_list-variable.patch create mode 100644 queue-4.17/rdma-core-save-kernel-caller-name-when-creating-cq-using-ib_create_cq.patch create mode 100644 queue-4.17/rdma-mlx4-discard-unknown-sqp-work-requests.patch create mode 100644 queue-4.17/soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch create mode 100644 queue-4.17/softirq-reorder-trace_softirqs_on-to-prevent-lockdep-splat.patch create mode 100644 queue-4.17/tpm-fix-race-condition-in-tpm_common_write.patch create mode 100644 queue-4.17/tpm-fix-use-after-free-in-tpm2_load_context.patch create mode 100644 queue-4.17/xprtrdma-return-enobufs-when-no-pages-are-available.patch diff --git a/queue-4.17/arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch b/queue-4.17/arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch new file mode 100644 index 00000000000..ed7656b6eba --- /dev/null +++ b/queue-4.17/arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch @@ -0,0 +1,45 @@ +From 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 Mon Sep 17 00:00:00 2001 +From: David Rivshin +Date: Wed, 25 Apr 2018 21:15:01 +0100 +Subject: ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size + +From: David Rivshin + +commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream. + +NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly +based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM +is the number of total registers, while GDB_MAX_REGS is the number +of 'unsigned longs' it takes to serialize those registers. Since +FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is +smaller than GDB_MAX_REGS. + +This causes GDB 8.0 give the following error on connect: +"Truncated register 19 in remote 'g' packet" + +This also causes the register serialization/deserialization logic +to overflow gdb_regs[], overwriting whatever follows. + +Fixes: 834b2964b7ab ("kgdb,arm: fix register dump") +Cc: # 2.6.37+ +Signed-off-by: David Rivshin +Acked-by: Rabin Vincent +Tested-by: Daniel Thompson +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/kgdb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/include/asm/kgdb.h ++++ b/arch/arm/include/asm/kgdb.h +@@ -77,7 +77,7 @@ extern int kgdb_fault_expected; + + #define KGDB_MAX_NO_CPUS 1 + #define BUFMAX 400 +-#define NUMREGBYTES (DBG_MAX_REG_NUM << 2) ++#define NUMREGBYTES (GDB_MAX_REGS << 2) + #define NUMCRITREGBYTES (32 << 2) + + #define _R0 0 diff --git a/queue-4.17/arm-dts-fix-spi-node-for-arria10.patch b/queue-4.17/arm-dts-fix-spi-node-for-arria10.patch new file mode 100644 index 00000000000..f46efee93cc --- /dev/null +++ b/queue-4.17/arm-dts-fix-spi-node-for-arria10.patch @@ -0,0 +1,35 @@ +From 975ba94c2c3aca4d9f1ae26f3916d7787495ce86 Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Fri, 22 Jun 2018 13:37:34 -0500 +Subject: ARM: dts: Fix SPI node for Arria10 + +From: Thor Thayer + +commit 975ba94c2c3aca4d9f1ae26f3916d7787495ce86 upstream. + +Remove the unused bus-num node and change num-chipselect +to num-cs to match SPI bindings. + +Cc: stable@vger.kernel.org +Fixes: f2d6f8f817814 ("ARM: dts: socfpga: Add SPI Master1 for Arria10 SR chip") +Signed-off-by: Thor Thayer +Signed-off-by: Dinh Nguyen +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga_arria10.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/socfpga_arria10.dtsi ++++ b/arch/arm/boot/dts/socfpga_arria10.dtsi +@@ -593,8 +593,7 @@ + #size-cells = <0>; + reg = <0xffda5000 0x100>; + interrupts = <0 102 4>; +- num-chipselect = <4>; +- bus-num = <0>; ++ num-cs = <4>; + /*32bit_access;*/ + tx-dma-channel = <&pdma 16>; + rx-dma-channel = <&pdma 17>; diff --git a/queue-4.17/arm-dts-socfpga-fix-nand-controller-clock-supply.patch b/queue-4.17/arm-dts-socfpga-fix-nand-controller-clock-supply.patch new file mode 100644 index 00000000000..85c4b1f29fc --- /dev/null +++ b/queue-4.17/arm-dts-socfpga-fix-nand-controller-clock-supply.patch @@ -0,0 +1,36 @@ +From 4eda9b766b042ea38d84df91581b03f6145a2ab0 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 10 May 2018 16:37:26 +0200 +Subject: ARM: dts: socfpga: Fix NAND controller clock supply + +From: Marek Vasut + +commit 4eda9b766b042ea38d84df91581b03f6145a2ab0 upstream. + +The Denali NAND x-clock should be supplied by nand_x_clk, not by +nand_clk. Fix this, otherwise the Denali driver gets incorrect +clock frequency information and incorrectly configures the NAND +timing. + +Cc: stable@vger.kernel.org +Signed-off-by: Marek Vasut +Fixes: d837a80d19 ("ARM: dts: socfpga: add nand controller nodes") +Cc: Steffen Trumtrar +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -754,7 +754,7 @@ + reg-names = "nand_data", "denali_reg"; + interrupts = <0x0 0x90 0x4>; + dma-mask = <0xffffffff>; +- clocks = <&nand_clk>; ++ clocks = <&nand_x_clk>; + status = "disabled"; + }; + diff --git a/queue-4.17/arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch b/queue-4.17/arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch new file mode 100644 index 00000000000..33aa55335f7 --- /dev/null +++ b/queue-4.17/arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch @@ -0,0 +1,32 @@ +From 3877ef7a1ccecaae378c497e1dcddbc2dccb664c Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Mon, 14 May 2018 10:15:19 -0500 +Subject: ARM: dts: socfpga: Fix NAND controller node compatible for Arria10 + +From: Dinh Nguyen + +commit 3877ef7a1ccecaae378c497e1dcddbc2dccb664c upstream. + +The NAND compatible "denali,denal-nand-dt" property has never been used and +is obsolete. Remove it. + +Cc: stable@vger.kernel.org +Fixes: f549af06e9b6("ARM: dts: socfpga: Add NAND device tree for Arria10") +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga_arria10.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga_arria10.dtsi ++++ b/arch/arm/boot/dts/socfpga_arria10.dtsi +@@ -632,7 +632,7 @@ + nand: nand@ffb90000 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "denali,denali-nand-dt", "altr,socfpga-denali-nand"; ++ compatible = "altr,socfpga-denali-nand"; + reg = <0xffb90000 0x72000>, + <0xffb80000 0x10000>; + reg-names = "nand_data", "denali_reg"; diff --git a/queue-4.17/arm-dts-socfpga-fix-nand-controller-node-compatible.patch b/queue-4.17/arm-dts-socfpga-fix-nand-controller-node-compatible.patch new file mode 100644 index 00000000000..edd1ff334b2 --- /dev/null +++ b/queue-4.17/arm-dts-socfpga-fix-nand-controller-node-compatible.patch @@ -0,0 +1,35 @@ +From d9a695f3c8098ac9684689774a151cff30d8aa25 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 10 May 2018 14:52:23 +0200 +Subject: ARM: dts: socfpga: Fix NAND controller node compatible + +From: Marek Vasut + +commit d9a695f3c8098ac9684689774a151cff30d8aa25 upstream. + +The compatible string for the Denali NAND controller is incorrect, +fix it by replacing it with one matching the DT bindings and the +driver. + +Cc: stable@vger.kernel.org +Signed-off-by: Marek Vasut +Fixes: d837a80d19 ("ARM: dts: socfpga: add nand controller nodes") +Cc: Steffen Trumtrar +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -748,7 +748,7 @@ + nand0: nand@ff900000 { + #address-cells = <0x1>; + #size-cells = <0x1>; +- compatible = "denali,denali-nand-dt"; ++ compatible = "altr,socfpga-denali-nand"; + reg = <0xff900000 0x100000>, + <0xffb80000 0x10000>; + reg-names = "nand_data", "denali_reg"; diff --git a/queue-4.17/arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vcc-1v2-regulator-voltage.patch b/queue-4.17/arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vcc-1v2-regulator-voltage.patch new file mode 100644 index 00000000000..dd7b6ee5084 --- /dev/null +++ b/queue-4.17/arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vcc-1v2-regulator-voltage.patch @@ -0,0 +1,38 @@ +From bceb1f25b8614e529cc74c5f2339e84f4d4a88ae Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Tue, 24 Apr 2018 19:34:18 +0800 +Subject: ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VCC-1V2 regulator voltage + +From: Chen-Yu Tsai + +commit bceb1f25b8614e529cc74c5f2339e84f4d4a88ae upstream. + +The voltage of the VCC-1V2 regulator on the ALL-H3-CC H3 ver. should be +1.2V, not the 3.3V currently defined in the device tree. + +Fix the voltage in the device tree. + +Fixes: 6ca358645d4d ("ARM: dts: sun8i: h3: Add dts file for Libre + Computer Board ALL-H3-CC H3 ver.") +Cc: # 4.16.x +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts ++++ b/arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts +@@ -62,8 +62,8 @@ + reg_vcc1v2: vcc1v2 { + compatible = "regulator-fixed"; + regulator-name = "vcc1v2"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; ++ regulator-min-microvolt = <1200000>; ++ regulator-max-microvolt = <1200000>; + regulator-always-on; + regulator-boot-on; + vin-supply = <®_vcc5v0>; diff --git a/queue-4.17/arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vdd-cpux-voltage.patch b/queue-4.17/arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vdd-cpux-voltage.patch new file mode 100644 index 00000000000..0a3a03159e8 --- /dev/null +++ b/queue-4.17/arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vdd-cpux-voltage.patch @@ -0,0 +1,38 @@ +From e6e7b7c2c81e05c8774193da06348119583d4292 Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Tue, 6 Feb 2018 12:49:04 +0800 +Subject: ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VDD-CPUX voltage + +From: Icenowy Zheng + +commit e6e7b7c2c81e05c8774193da06348119583d4292 upstream. + +The VDD-CPUX voltage of ALL-H3-CC H3 ver should be 1.2V, not the 3.3V +currently defined in the device tree. + +Fix the voltage in the device tree. + +Fixes: 6ca358645d4d ("ARM: dts: sun8i: h3: Add dts file for Libre Computer Board ALL-H3-CC H3 ver.") +Signed-off-by: Icenowy Zheng +Reviewed-by: Chen-Yu Tsai +Cc: # 4.16.x +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts ++++ b/arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts +@@ -113,8 +113,8 @@ + reg_vdd_cpux: vdd-cpux { + compatible = "regulator-fixed"; + regulator-name = "vdd-cpux"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; ++ regulator-min-microvolt = <1200000>; ++ regulator-max-microvolt = <1200000>; + regulator-always-on; + regulator-boot-on; + vin-supply = <®_vcc5v0>; diff --git a/queue-4.17/arm64-dts-marvell-fix-cp110-icu-node-size.patch b/queue-4.17/arm64-dts-marvell-fix-cp110-icu-node-size.patch new file mode 100644 index 00000000000..65dca590d41 --- /dev/null +++ b/queue-4.17/arm64-dts-marvell-fix-cp110-icu-node-size.patch @@ -0,0 +1,34 @@ +From 2f872ddcdb1e8e2186162616cea4581b8403849d Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 22 May 2018 11:40:28 +0200 +Subject: arm64: dts: marvell: fix CP110 ICU node size + +From: Miquel Raynal + +commit 2f872ddcdb1e8e2186162616cea4581b8403849d upstream. + +ICU size in CP110 is not 0x10 but at least 0x440 bytes long (from the +specification). + +Fixes: 6ef84a827c37 ("arm64: dts: marvell: enable GICP and ICU on Armada 7K/8K") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Thomas Petazzoni +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/marvell/armada-cp110.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/marvell/armada-cp110.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-cp110.dtsi +@@ -149,7 +149,7 @@ + + CP110_LABEL(icu): interrupt-controller@1e0000 { + compatible = "marvell,cp110-icu"; +- reg = <0x1e0000 0x10>; ++ reg = <0x1e0000 0x440>; + #interrupt-cells = <3>; + interrupt-controller; + msi-parent = <&gicp>; diff --git a/queue-4.17/arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch b/queue-4.17/arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch new file mode 100644 index 00000000000..65ee01d2b93 --- /dev/null +++ b/queue-4.17/arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch @@ -0,0 +1,44 @@ +From d5b4885b1dff72ac670b518cfeaac719d768bd4d Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Thu, 26 Apr 2018 12:50:46 +0200 +Subject: ARM64: dts: meson: disable sd-uhs modes on the libretech-cc + +From: Jerome Brunet + +commit d5b4885b1dff72ac670b518cfeaac719d768bd4d upstream. + +There is a problem with the sd-uhs mode when doing a soft reboot. +Switching back from 1.8v to 3.3v messes with the card, which no longer +respond (timeout errors). According to the specification, we should +perform a card reset (power cycling the card) but this is something we +cannot control on this design. + +Then the only solution to restore the communication with the card is an +"unplug-plug" which is not acceptable + +Until we find a solution, if any, disable the sd-uhs modes on this design. +For the people using uhs at the moment, there will a performance drop as +a result. + +Fixes: 3cde63ebc85c ("ARM64: dts: meson-gxl: libretech-cc: enable high speed modes") +Signed-off-by: Jerome Brunet +Cc: stable@vger.kernel.org +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts +@@ -234,9 +234,6 @@ + + bus-width = <4>; + cap-sd-highspeed; +- sd-uhs-sdr12; +- sd-uhs-sdr25; +- sd-uhs-sdr50; + max-frequency = <100000000>; + disable-wp; + diff --git a/queue-4.17/arm64-dts-meson-gx-fix-atf-reserved-memory-region.patch b/queue-4.17/arm64-dts-meson-gx-fix-atf-reserved-memory-region.patch new file mode 100644 index 00000000000..4d89a3bfdfe --- /dev/null +++ b/queue-4.17/arm64-dts-meson-gx-fix-atf-reserved-memory-region.patch @@ -0,0 +1,58 @@ +From 48e21ded0432ee1e2359d4143d7a6925cefee1b5 Mon Sep 17 00:00:00 2001 +From: Kevin Hilman +Date: Thu, 7 Jun 2018 13:51:01 -0700 +Subject: ARM64: dts: meson-gx: fix ATF reserved memory region + +From: Kevin Hilman + +commit 48e21ded0432ee1e2359d4143d7a6925cefee1b5 upstream. + +Vendor firmware/uboot has different reserved regions depending on +firmware version, but current codebase reserves the same regions on +GXL and GXBB, so move the additional reserved memory region to common +.dtsi. + +Found when putting a recent vendor u-boot on meson-gxbb-p200. + +Suggested-by: Neil Armstrong +Cc: stable@vger.kernel.org +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 6 ++++++ + arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 8 -------- + 2 files changed, 6 insertions(+), 8 deletions(-) + +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -35,6 +35,12 @@ + no-map; + }; + ++ /* Alternate 3 MiB reserved for ARM Trusted Firmware (BL31) */ ++ secmon_reserved_alt: secmon@5000000 { ++ reg = <0x0 0x05000000 0x0 0x300000>; ++ no-map; ++ }; ++ + linux,cma { + compatible = "shared-dma-pool"; + reusable; +--- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +@@ -13,14 +13,6 @@ + / { + compatible = "amlogic,meson-gxl"; + +- reserved-memory { +- /* Alternate 3 MiB reserved for ARM Trusted Firmware (BL31) */ +- secmon_reserved_alt: secmon@5000000 { +- reg = <0x0 0x05000000 0x0 0x300000>; +- no-map; +- }; +- }; +- + soc { + usb0: usb@c9000000 { + status = "disabled"; diff --git a/queue-4.17/arm64-dts-stratix10-fix-spi-nodes-for-stratix10.patch b/queue-4.17/arm64-dts-stratix10-fix-spi-nodes-for-stratix10.patch new file mode 100644 index 00000000000..e526f495797 --- /dev/null +++ b/queue-4.17/arm64-dts-stratix10-fix-spi-nodes-for-stratix10.patch @@ -0,0 +1,45 @@ +From 4595299c5eaebbec0ca5822214ad1925a10b3876 Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Fri, 22 Jun 2018 13:35:38 -0500 +Subject: arm64: dts: stratix10: Fix SPI nodes for Stratix10 + +From: Thor Thayer + +commit 4595299c5eaebbec0ca5822214ad1925a10b3876 upstream. + +Remove the unused bus-num node and change num-chipselect +to num-cs to match SPI bindings. + +Cc: stable@vger.kernel.org +Fixes: 78cd6a9d8e154 ("arm64: dts: Add base stratix 10 dtsi") +Signed-off-by: Thor Thayer +Signed-off-by: Dinh Nguyen +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi ++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi +@@ -252,8 +252,7 @@ + interrupts = <0 99 4>; + resets = <&rst SPIM0_RESET>; + reg-io-width = <4>; +- num-chipselect = <4>; +- bus-num = <0>; ++ num-cs = <4>; + status = "disabled"; + }; + +@@ -265,8 +264,7 @@ + interrupts = <0 100 4>; + resets = <&rst SPIM1_RESET>; + reg-io-width = <4>; +- num-chipselect = <4>; +- bus-num = <0>; ++ num-cs = <4>; + status = "disabled"; + }; + diff --git a/queue-4.17/arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch b/queue-4.17/arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch new file mode 100644 index 00000000000..9db3b8cd8e9 --- /dev/null +++ b/queue-4.17/arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch @@ -0,0 +1,72 @@ +From 0fe42512b2f03f9e5a20b9f55ef1013a68b4cd48 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 7 Jun 2018 12:32:05 +0100 +Subject: arm64: Fix syscall restarting around signal suppressed by tracer + +From: Dave Martin + +commit 0fe42512b2f03f9e5a20b9f55ef1013a68b4cd48 upstream. + +Commit 17c2895 ("arm64: Abstract syscallno manipulation") abstracts +out the pt_regs.syscallno value for a syscall cancelled by a tracer +as NO_SYSCALL, and provides helpers to set and check for this +condition. However, the way this was implemented has the +unintended side-effect of disabling part of the syscall restart +logic. + +This comes about because the second in_syscall() check in +do_signal() re-evaluates the "in a syscall" condition based on the +updated pt_regs instead of the original pt_regs. forget_syscall() +is explicitly called prior to the second check in order to prevent +restart logic in the ret_to_user path being spuriously triggered, +which means that the second in_syscall() check always yields false. + +This triggers a failure in +tools/testing/selftests/seccomp/seccomp_bpf.c, when using ptrace to +suppress a signal that interrups a nanosleep() syscall. + +Misbehaviour of this type is only expected in the case where a +tracer suppresses a signal and the target process is either being +single-stepped or the interrupted syscall attempts to restart via +-ERESTARTBLOCK. + +This patch restores the old behaviour by performing the +in_syscall() check only once at the start of the function. + +Fixes: 17c289586009 ("arm64: Abstract syscallno manipulation") +Signed-off-by: Dave Martin +Reported-by: Sumit Semwal +Cc: Will Deacon +Cc: # 4.14.x- +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/signal.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -830,11 +830,12 @@ static void do_signal(struct pt_regs *re + unsigned long continue_addr = 0, restart_addr = 0; + int retval = 0; + struct ksignal ksig; ++ bool syscall = in_syscall(regs); + + /* + * If we were from a system call, check for system call restarting... + */ +- if (in_syscall(regs)) { ++ if (syscall) { + continue_addr = regs->pc; + restart_addr = continue_addr - (compat_thumb_mode(regs) ? 2 : 4); + retval = regs->regs[0]; +@@ -886,7 +887,7 @@ static void do_signal(struct pt_regs *re + * Handle restarting a different system call. As above, if a debugger + * has chosen to restart at a different PC, ignore the restart. + */ +- if (in_syscall(regs) && regs->pc == restart_addr) { ++ if (syscall && regs->pc == restart_addr) { + if (retval == -ERESTART_RESTARTBLOCK) + setup_restart_syscall(regs); + user_rewind_single_step(current); diff --git a/queue-4.17/arm64-kpti-use-early_param-for-kpti-command-line-option.patch b/queue-4.17/arm64-kpti-use-early_param-for-kpti-command-line-option.patch new file mode 100644 index 00000000000..2856856d427 --- /dev/null +++ b/queue-4.17/arm64-kpti-use-early_param-for-kpti-command-line-option.patch @@ -0,0 +1,39 @@ +From b5b7dd647f2d21b93f734ce890671cd908e69b0a Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 22 Jun 2018 10:25:25 +0100 +Subject: arm64: kpti: Use early_param for kpti= command-line option + +From: Will Deacon + +commit b5b7dd647f2d21b93f734ce890671cd908e69b0a upstream. + +We inspect __kpti_forced early on as part of the cpufeature enable +callback which remaps the swapper page table using non-global entries. + +Ensure that __kpti_forced has been updated to reflect the kpti= +command-line option before we start using it. + +Fixes: ea1e3de85e94 ("arm64: entry: Add fake CPU feature for unmapping the kernel at EL0") +Cc: # 4.16.x- +Reported-by: Wei Xu +Tested-by: Sudeep Holla +Tested-by: Wei Xu +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/cpufeature.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -937,7 +937,7 @@ static int __init parse_kpti(char *str) + __kpti_forced = enabled ? 1 : -1; + return 0; + } +-__setup("kpti=", parse_kpti); ++early_param("kpti", parse_kpti); + #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ + + #ifdef CONFIG_ARM64_HW_AFDBM diff --git a/queue-4.17/arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch b/queue-4.17/arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch new file mode 100644 index 00000000000..af75ad275ca --- /dev/null +++ b/queue-4.17/arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch @@ -0,0 +1,44 @@ +From 71c8fc0c96abf8e53e74ed4d891d671e585f9076 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 22 Jun 2018 16:23:45 +0100 +Subject: arm64: mm: Ensure writes to swapper are ordered wrt subsequent cache maintenance + +From: Will Deacon + +commit 71c8fc0c96abf8e53e74ed4d891d671e585f9076 upstream. + +When rewriting swapper using nG mappings, we must performance cache +maintenance around each page table access in order to avoid coherency +problems with the host's cacheable alias under KVM. To ensure correct +ordering of the maintenance with respect to Device memory accesses made +with the Stage-1 MMU disabled, DMBs need to be added between the +maintenance and the corresponding memory access. + +This patch adds a missing DMB between writing a new page table entry and +performing a clean+invalidate on the same line. + +Fixes: f992b4dfd58b ("arm64: kpti: Add ->enable callback to remap swapper using nG mappings") +Cc: # 4.16.x- +Acked-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/proc.S | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -217,8 +217,9 @@ ENDPROC(idmap_cpu_replace_ttbr1) + + .macro __idmap_kpti_put_pgtable_ent_ng, type + orr \type, \type, #PTE_NG // Same bit for blocks and pages +- str \type, [cur_\()\type\()p] // Update the entry and ensure it +- dc civac, cur_\()\type\()p // is visible to all CPUs. ++ str \type, [cur_\()\type\()p] // Update the entry and ensure ++ dmb sy // that it is visible to all ++ dc civac, cur_\()\type\()p // CPUs. + .endm + + /* diff --git a/queue-4.17/bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch b/queue-4.17/bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch new file mode 100644 index 00000000000..c8e6f05e361 --- /dev/null +++ b/queue-4.17/bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch @@ -0,0 +1,42 @@ +From 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 Mon Sep 17 00:00:00 2001 +From: Amit Pundir +Date: Mon, 16 Apr 2018 12:10:24 +0530 +Subject: Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader + +From: Amit Pundir + +commit 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 upstream. + +AOSP use userspace firmware loader to load firmwares, which will +return -EAGAIN in case qca/rampatch_00440302.bin is not found. +Since there is no rampatch for dragonboard820c QCA controller +revision, just make it work as is. + +CC: Loic Poulain +CC: Nicolas Dechesne +CC: Marcel Holtmann +CC: Johan Hedberg +CC: Stable +Signed-off-by: Amit Pundir +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_qca.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -935,6 +935,12 @@ static int qca_setup(struct hci_uart *hu + } else if (ret == -ENOENT) { + /* No patch/nvm-config found, run with original fw/config */ + ret = 0; ++ } else if (ret == -EAGAIN) { ++ /* ++ * Userspace firmware loader will return -EAGAIN in case no ++ * patch/nvm-config is found, so run with original fw/config. ++ */ ++ ret = 0; + } + + /* Setup bdaddr */ diff --git a/queue-4.17/branch-check-fix-long-int-truncation-when-profiling-branches.patch b/queue-4.17/branch-check-fix-long-int-truncation-when-profiling-branches.patch new file mode 100644 index 00000000000..af46047f0be --- /dev/null +++ b/queue-4.17/branch-check-fix-long-int-truncation-when-profiling-branches.patch @@ -0,0 +1,41 @@ +From 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 30 May 2018 08:19:22 -0400 +Subject: branch-check: fix long->int truncation when profiling branches + +From: Mikulas Patocka + +commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream. + +The function __builtin_expect returns long type (see the gcc +documentation), and so do macros likely and unlikely. Unfortunatelly, when +CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and +unlikely expand to __branch_check__ and __branch_check__ truncates the +long type to int. This unintended truncation may cause bugs in various +kernel code (we found a bug in dm-writecache because of it), so it's +better to fix __branch_check__ to return long. + +Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations") +Signed-off-by: Mikulas Patocka +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -21,7 +21,7 @@ void ftrace_likely_update(struct ftrace_ + #define unlikely_notrace(x) __builtin_expect(!!(x), 0) + + #define __branch_check__(x, expect, is_constant) ({ \ +- int ______r; \ ++ long ______r; \ + static struct ftrace_likely_data \ + __attribute__((__aligned__(4))) \ + __attribute__((section("_ftrace_annotated_branch"))) \ diff --git a/queue-4.17/clk-aspeed-fix-reset-bits-for-pci-vga-and-peci.patch b/queue-4.17/clk-aspeed-fix-reset-bits-for-pci-vga-and-peci.patch new file mode 100644 index 00000000000..554ef9a5a6e --- /dev/null +++ b/queue-4.17/clk-aspeed-fix-reset-bits-for-pci-vga-and-peci.patch @@ -0,0 +1,57 @@ +From e76e56823a318ca580be4cfc5a6a9269bc70abea Mon Sep 17 00:00:00 2001 +From: Jae Hyun Yoo +Date: Thu, 26 Apr 2018 10:22:32 -0700 +Subject: clk:aspeed: Fix reset bits for PCI/VGA and PECI + +From: Jae Hyun Yoo + +commit e76e56823a318ca580be4cfc5a6a9269bc70abea upstream. + +This commit fixes incorrect setting of reset bits for PCI/VGA and +PECI modules. + +1. Reset bit for PCI/VGA is 8. +2. PECI reset bit is missing so added bit 10 as its reset bit. + +Signed-off-by: Jae Hyun Yoo +Fixes: 15ed8ce5f84e ("clk: aspeed: Register gated clocks") +Cc: stable +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk-aspeed.c | 4 ++-- + include/dt-bindings/clock/aspeed-clock.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/clk/clk-aspeed.c ++++ b/drivers/clk/clk-aspeed.c +@@ -88,7 +88,7 @@ static const struct aspeed_gate_data asp + [ASPEED_CLK_GATE_GCLK] = { 1, 7, "gclk-gate", NULL, 0 }, /* 2D engine */ + [ASPEED_CLK_GATE_MCLK] = { 2, -1, "mclk-gate", "mpll", CLK_IS_CRITICAL }, /* SDRAM */ + [ASPEED_CLK_GATE_VCLK] = { 3, 6, "vclk-gate", NULL, 0 }, /* Video Capture */ +- [ASPEED_CLK_GATE_BCLK] = { 4, 10, "bclk-gate", "bclk", 0 }, /* PCIe/PCI */ ++ [ASPEED_CLK_GATE_BCLK] = { 4, 8, "bclk-gate", "bclk", 0 }, /* PCIe/PCI */ + [ASPEED_CLK_GATE_DCLK] = { 5, -1, "dclk-gate", NULL, 0 }, /* DAC */ + [ASPEED_CLK_GATE_REFCLK] = { 6, -1, "refclk-gate", "clkin", CLK_IS_CRITICAL }, + [ASPEED_CLK_GATE_USBPORT2CLK] = { 7, 3, "usb-port2-gate", NULL, 0 }, /* USB2.0 Host port 2 */ +@@ -297,7 +297,7 @@ static const u8 aspeed_resets[] = { + [ASPEED_RESET_JTAG_MASTER] = 22, + [ASPEED_RESET_MIC] = 18, + [ASPEED_RESET_PWM] = 9, +- [ASPEED_RESET_PCIVGA] = 8, ++ [ASPEED_RESET_PECI] = 10, + [ASPEED_RESET_I2C] = 2, + [ASPEED_RESET_AHB] = 1, + }; +--- a/include/dt-bindings/clock/aspeed-clock.h ++++ b/include/dt-bindings/clock/aspeed-clock.h +@@ -45,7 +45,7 @@ + #define ASPEED_RESET_JTAG_MASTER 3 + #define ASPEED_RESET_MIC 4 + #define ASPEED_RESET_PWM 5 +-#define ASPEED_RESET_PCIVGA 6 ++#define ASPEED_RESET_PECI 6 + #define ASPEED_RESET_I2C 7 + #define ASPEED_RESET_AHB 8 + diff --git a/queue-4.17/cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch b/queue-4.17/cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch new file mode 100644 index 00000000000..0e9cca6e689 --- /dev/null +++ b/queue-4.17/cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch @@ -0,0 +1,146 @@ +From 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Thu, 31 May 2018 17:45:09 +0530 +Subject: cpuidle: powernv: Fix promotion from snooze if next state disabled + +From: Gautham R. Shenoy + +commit 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 upstream. + +The commit 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of +snooze to deeper idle state") introduced a timeout for the snooze idle +state so that it could be eventually be promoted to a deeper idle +state. The snooze timeout value is static and set to the target +residency of the next idle state, which would train the cpuidle +governor to pick the next idle state eventually. + +The unfortunate side-effect of this is that if the next idle state(s) +is disabled, the CPU will forever remain in snooze, despite the fact +that the system is completely idle, and other deeper idle states are +available. + +This patch fixes the issue by dynamically setting the snooze timeout +to the target residency of the next enabled state on the device. + +Before Patch: + POWER8 : Only nap disabled. + $ cpupower monitor sleep 30 + sleep took 30.01297 seconds and exited with status 0 + |Idle_Stats + PKG |CORE|CPU | snoo | Nap | Fast + 0| 8| 0| 96.41| 0.00| 0.00 + 0| 8| 1| 96.43| 0.00| 0.00 + 0| 8| 2| 96.47| 0.00| 0.00 + 0| 8| 3| 96.35| 0.00| 0.00 + 0| 8| 4| 96.37| 0.00| 0.00 + 0| 8| 5| 96.37| 0.00| 0.00 + 0| 8| 6| 96.47| 0.00| 0.00 + 0| 8| 7| 96.47| 0.00| 0.00 + + POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1, + stop2) disabled: + $ cpupower monitor sleep 30 + sleep took 30.05033 seconds and exited with status 0 + |Idle_Stats + PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop + 0| 16| 0| 89.79| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00 + 0| 16| 1| 90.12| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00 + 0| 16| 2| 90.21| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00 + 0| 16| 3| 90.29| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00 + +After Patch: + POWER8 : Only nap disabled. + $ cpupower monitor sleep 30 + sleep took 30.01200 seconds and exited with status 0 + |Idle_Stats + PKG |CORE|CPU | snoo | Nap | Fast + 0| 8| 0| 16.58| 0.00| 77.21 + 0| 8| 1| 18.42| 0.00| 75.38 + 0| 8| 2| 4.70| 0.00| 94.09 + 0| 8| 3| 17.06| 0.00| 81.73 + 0| 8| 4| 3.06| 0.00| 95.73 + 0| 8| 5| 7.00| 0.00| 96.80 + 0| 8| 6| 1.00| 0.00| 98.79 + 0| 8| 7| 5.62| 0.00| 94.17 + + POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1, + stop2) disabled: + + $ cpupower monitor sleep 30 + sleep took 30.02110 seconds and exited with status 0 + |Idle_Stats + PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop + 0| 0| 0| 0.69| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 9.39| 89.70 + 0| 0| 1| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.05| 93.21 + 0| 0| 2| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 89.93 + 0| 0| 3| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 93.26 + +Fixes: 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state") +Cc: stable@vger.kernel.org # v4.2+ +Signed-off-by: Gautham R. Shenoy +Reviewed-by: Balbir Singh +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/cpuidle-powernv.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -43,9 +43,31 @@ struct stop_psscr_table { + + static struct stop_psscr_table stop_psscr_table[CPUIDLE_STATE_MAX] __read_mostly; + +-static u64 snooze_timeout __read_mostly; ++static u64 default_snooze_timeout __read_mostly; + static bool snooze_timeout_en __read_mostly; + ++static u64 get_snooze_timeout(struct cpuidle_device *dev, ++ struct cpuidle_driver *drv, ++ int index) ++{ ++ int i; ++ ++ if (unlikely(!snooze_timeout_en)) ++ return default_snooze_timeout; ++ ++ for (i = index + 1; i < drv->state_count; i++) { ++ struct cpuidle_state *s = &drv->states[i]; ++ struct cpuidle_state_usage *su = &dev->states_usage[i]; ++ ++ if (s->disabled || su->disable) ++ continue; ++ ++ return s->target_residency * tb_ticks_per_usec; ++ } ++ ++ return default_snooze_timeout; ++} ++ + static int snooze_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) +@@ -56,7 +78,7 @@ static int snooze_loop(struct cpuidle_de + + local_irq_enable(); + +- snooze_exit_time = get_tb() + snooze_timeout; ++ snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index); + ppc64_runlatch_off(); + HMT_very_low(); + while (!need_resched()) { +@@ -465,11 +487,9 @@ static int powernv_idle_probe(void) + cpuidle_state_table = powernv_states; + /* Device tree can indicate more idle states */ + max_idle_state = powernv_add_idle_states(); +- if (max_idle_state > 1) { ++ default_snooze_timeout = TICK_USEC * tb_ticks_per_usec; ++ if (max_idle_state > 1) + snooze_timeout_en = true; +- snooze_timeout = powernv_states[1].target_residency * +- tb_ticks_per_usec; +- } + } else + return -ENODEV; + diff --git a/queue-4.17/crypto-arm64-aes-blk-fix-and-move-skcipher_walk_done-out-of-kernel_neon_begin-_end.patch b/queue-4.17/crypto-arm64-aes-blk-fix-and-move-skcipher_walk_done-out-of-kernel_neon_begin-_end.patch new file mode 100644 index 00000000000..a4f0ea77164 --- /dev/null +++ b/queue-4.17/crypto-arm64-aes-blk-fix-and-move-skcipher_walk_done-out-of-kernel_neon_begin-_end.patch @@ -0,0 +1,68 @@ +From 6e88f01206edab0e5bc105d8f35fac10f4ee14c5 Mon Sep 17 00:00:00 2001 +From: Jia He +Date: Fri, 8 Jun 2018 15:41:44 +0800 +Subject: crypto: arm64/aes-blk - fix and move skcipher_walk_done out of kernel_neon_begin, _end + +From: Jia He + +commit 6e88f01206edab0e5bc105d8f35fac10f4ee14c5 upstream. + +In a arm64 server(QDF2400),I met a similar might-sleep warning as [1]: +[ 7.019116] BUG: sleeping function called from invalid context at +./include/crypto/algapi.h:416 +[ 7.027863] in_atomic(): 1, irqs_disabled(): 0, pid: 410, name: +cryptomgr_test +[ 7.035106] 1 lock held by cryptomgr_test/410: +[ 7.039549] #0: (ptrval) (&drbg->drbg_mutex){+.+.}, at: +drbg_instantiate+0x34/0x398 +[ 7.048038] CPU: 9 PID: 410 Comm: cryptomgr_test Not tainted +4.17.0-rc6+ #27 +[ 7.068228] dump_backtrace+0x0/0x1c0 +[ 7.071890] show_stack+0x24/0x30 +[ 7.075208] dump_stack+0xb0/0xec +[ 7.078523] ___might_sleep+0x160/0x238 +[ 7.082360] skcipher_walk_done+0x118/0x2c8 +[ 7.086545] ctr_encrypt+0x98/0x130 +[ 7.090035] simd_skcipher_encrypt+0x68/0xc0 +[ 7.094304] drbg_kcapi_sym_ctr+0xd4/0x1f8 +[ 7.098400] drbg_ctr_update+0x98/0x330 +[ 7.102236] drbg_seed+0x1b8/0x2f0 +[ 7.105637] drbg_instantiate+0x2ac/0x398 +[ 7.109646] drbg_kcapi_seed+0xbc/0x188 +[ 7.113482] crypto_rng_reset+0x4c/0xb0 +[ 7.117319] alg_test_drbg+0xec/0x330 +[ 7.120981] alg_test.part.6+0x1c8/0x3c8 +[ 7.124903] alg_test+0x58/0xa0 +[ 7.128044] cryptomgr_test+0x50/0x58 +[ 7.131708] kthread+0x134/0x138 +[ 7.134936] ret_from_fork+0x10/0x1c + +Seems there is a bug in Ard Biesheuvel's commit. +Fixes: 683381747270 ("crypto: arm64/aes-blk - move kernel mode neon +en/disable into loop") + +[1] https://www.spinics.net/lists/linux-crypto/msg33103.html + +Signed-off-by: jia.he@hxt-semitech.com +Acked-by: Ard Biesheuvel +Cc: # 4.17 +Acked-by: Will Deacon +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/crypto/aes-glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/crypto/aes-glue.c ++++ b/arch/arm64/crypto/aes-glue.c +@@ -223,8 +223,8 @@ static int ctr_encrypt(struct skcipher_r + kernel_neon_begin(); + aes_ctr_encrypt(walk.dst.virt.addr, walk.src.virt.addr, + (u8 *)ctx->key_enc, rounds, blocks, walk.iv); +- err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE); + kernel_neon_end(); ++ err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE); + } + if (walk.nbytes) { + u8 __aligned(8) tail[AES_BLOCK_SIZE]; diff --git a/queue-4.17/cxl-configure-psl-to-not-use-apc-virtual-machines.patch b/queue-4.17/cxl-configure-psl-to-not-use-apc-virtual-machines.patch new file mode 100644 index 00000000000..35f9989813d --- /dev/null +++ b/queue-4.17/cxl-configure-psl-to-not-use-apc-virtual-machines.patch @@ -0,0 +1,41 @@ +From 9a6d2022bacd8fca0be6297459a02dfd28dad6ba Mon Sep 17 00:00:00 2001 +From: Vaibhav Jain +Date: Tue, 17 Apr 2018 10:41:02 +0530 +Subject: cxl: Configure PSL to not use APC virtual machines + +From: Vaibhav Jain + +commit 9a6d2022bacd8fca0be6297459a02dfd28dad6ba upstream. + +APC virtual machines arent used on POWER-9 chips and are already +disabled in on-chip CAPP. They also need to be disabled on the PSL via +'PSL Data Send Control Register' by setting bit(47). This forces the +PSL to send commands to CAPP with queue.id == 0. + +Fixes: 5632874311db ("cxl: Add support for POWER9 DD2") +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Vaibhav Jain +Acked-by: Andrew Donnellan +Reviewed-by: Alastair D'Silva +Reviewed-by: Christophe Lombard +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -514,9 +514,9 @@ static int init_implementation_adapter_r + cxl_p1_write(adapter, CXL_PSL9_FIR_CNTL, psl_fircntl); + + /* Setup the PSL to transmit packets on the PCIe before the +- * CAPP is enabled ++ * CAPP is enabled. Make sure that CAPP virtual machines are disabled + */ +- cxl_p1_write(adapter, CXL_PSL9_DSNDCTL, 0x0001001000002A10ULL); ++ cxl_p1_write(adapter, CXL_PSL9_DSNDCTL, 0x0001001000012A10ULL); + + /* + * A response to an ASB_Notify request is returned by the diff --git a/queue-4.17/cxl-disable-prefault_mode-in-radix-mode.patch b/queue-4.17/cxl-disable-prefault_mode-in-radix-mode.patch new file mode 100644 index 00000000000..dcfd047c2aa --- /dev/null +++ b/queue-4.17/cxl-disable-prefault_mode-in-radix-mode.patch @@ -0,0 +1,100 @@ +From b6c84ba22ff3a198eb8d5552cf9b8fda1d792e54 Mon Sep 17 00:00:00 2001 +From: Vaibhav Jain +Date: Fri, 18 May 2018 15:12:23 +0530 +Subject: cxl: Disable prefault_mode in Radix mode + +From: Vaibhav Jain + +commit b6c84ba22ff3a198eb8d5552cf9b8fda1d792e54 upstream. + +Currently we see a kernel-oops reported on Power-9 while attaching a +context to an AFU, with radix-mode and sysfs attr 'prefault_mode' set +to anything other than 'none'. The backtrace of the oops is of this +form: + + Unable to handle kernel paging request for data at address 0x00000080 + Faulting instruction address: 0xc00800000bcf3b20 + cpu 0x1: Vector: 300 (Data Access) at [c00000037f003800] + pc: c00800000bcf3b20: cxl_load_segment+0x178/0x290 [cxl] + lr: c00800000bcf39f0: cxl_load_segment+0x48/0x290 [cxl] + sp: c00000037f003a80 + msr: 9000000000009033 + dar: 80 + dsisr: 40000000 + current = 0xc00000037f280000 + paca = 0xc0000003ffffe600 softe: 3 irq_happened: 0x01 + pid = 3529, comm = afp_no_int + + cxl_prefault+0xfc/0x248 [cxl] + process_element_entry_psl9+0xd8/0x1a0 [cxl] + cxl_attach_dedicated_process_psl9+0x44/0x130 [cxl] + native_attach_process+0xc0/0x130 [cxl] + afu_ioctl+0x3f4/0x5e0 [cxl] + do_vfs_ioctl+0xdc/0x890 + ksys_ioctl+0x68/0xf0 + sys_ioctl+0x40/0xa0 + system_call+0x58/0x6c + +The issue is caused as on Power-8 the AFU attr 'prefault_mode' was +used to improve initial storage fault performance by prefaulting +process segments. However on Power-9 with radix mode we don't have +Storage-Segments that we can prefault. Also prefaulting process Pages +will be too costly and fine-grained. + +Hence, since the prefaulting mechanism doesn't makes sense of +radix-mode, this patch updates prefault_mode_store() to not allow any +other value apart from CXL_PREFAULT_NONE when radix mode is enabled. + +Fixes: f24be42aab37 ("cxl: Add psl9 specific code") +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Vaibhav Jain +Acked-by: Frederic Barrat +Acked-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/sysfs-class-cxl | 4 +++- + drivers/misc/cxl/sysfs.c | 16 ++++++++++++---- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/Documentation/ABI/testing/sysfs-class-cxl ++++ b/Documentation/ABI/testing/sysfs-class-cxl +@@ -69,7 +69,9 @@ Date: September 2014 + Contact: linuxppc-dev@lists.ozlabs.org + Description: read/write + Set the mode for prefaulting in segments into the segment table +- when performing the START_WORK ioctl. Possible values: ++ when performing the START_WORK ioctl. Only applicable when ++ running under hashed page table mmu. ++ Possible values: + none: No prefaulting (default) + work_element_descriptor: Treat the work element + descriptor as an effective address and +--- a/drivers/misc/cxl/sysfs.c ++++ b/drivers/misc/cxl/sysfs.c +@@ -353,12 +353,20 @@ static ssize_t prefault_mode_store(struc + struct cxl_afu *afu = to_cxl_afu(device); + enum prefault_modes mode = -1; + +- if (!strncmp(buf, "work_element_descriptor", 23)) +- mode = CXL_PREFAULT_WED; +- if (!strncmp(buf, "all", 3)) +- mode = CXL_PREFAULT_ALL; + if (!strncmp(buf, "none", 4)) + mode = CXL_PREFAULT_NONE; ++ else { ++ if (!radix_enabled()) { ++ ++ /* only allowed when not in radix mode */ ++ if (!strncmp(buf, "work_element_descriptor", 23)) ++ mode = CXL_PREFAULT_WED; ++ if (!strncmp(buf, "all", 3)) ++ mode = CXL_PREFAULT_ALL; ++ } else { ++ dev_err(device, "Cannot prefault with radix enabled\n"); ++ } ++ } + + if (mode == -1) + return -EINVAL; diff --git a/queue-4.17/efi-libstub-tpm-initialize-efi_physical_addr_t-vars-to-zero-for-mixed-mode.patch b/queue-4.17/efi-libstub-tpm-initialize-efi_physical_addr_t-vars-to-zero-for-mixed-mode.patch new file mode 100644 index 00000000000..39b5c5ff968 --- /dev/null +++ b/queue-4.17/efi-libstub-tpm-initialize-efi_physical_addr_t-vars-to-zero-for-mixed-mode.patch @@ -0,0 +1,52 @@ +From 52e1cf2d19c2e62e6a81b8de3f7320d033917dd5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 22 Jun 2018 08:42:22 +0200 +Subject: efi/libstub/tpm: Initialize efi_physical_addr_t vars to zero for mixed mode + +From: Hans de Goede + +commit 52e1cf2d19c2e62e6a81b8de3f7320d033917dd5 upstream. + +Commit: + + 79832f0b5f71 ("efi/libstub/tpm: Initialize pointer variables to zero for mixed mode") + +fixes a problem with the tpm code on mixed mode (64-bit kernel on 32-bit UEFI), +where 64-bit pointer variables are not fully initialized by the 32-bit EFI code. + +A similar problem applies to the efi_physical_addr_t variables which +are written by the ->get_event_log() EFI call. Even though efi_physical_addr_t +is 64-bit everywhere, it seems that some 32-bit UEFI implementations only +fill in the lower 32 bits when passed a pointer to an efi_physical_addr_t +to fill. + +This commit initializes these to 0 to, to ensure the upper 32 bits are +0 in mixed mode. This fixes recent kernels sometimes hanging during +early boot on mixed mode UEFI systems. + +Signed-off-by: Hans de Goede +Signed-off-by: Ard Biesheuvel +Cc: # v4.16+ +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20180622064222.11633-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/libstub/tpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/libstub/tpm.c ++++ b/drivers/firmware/efi/libstub/tpm.c +@@ -64,7 +64,7 @@ void efi_retrieve_tpm2_eventlog_1_2(efi_ + efi_guid_t tcg2_guid = EFI_TCG2_PROTOCOL_GUID; + efi_guid_t linux_eventlog_guid = LINUX_EFI_TPM_EVENT_LOG_GUID; + efi_status_t status; +- efi_physical_addr_t log_location, log_last_entry; ++ efi_physical_addr_t log_location = 0, log_last_entry = 0; + struct linux_efi_tpm_eventlog *log_tbl = NULL; + unsigned long first_entry_addr, last_entry_addr; + size_t log_size, last_entry_size; diff --git a/queue-4.17/fuse-atomic_o_trunc-should-truncate-pagecache.patch b/queue-4.17/fuse-atomic_o_trunc-should-truncate-pagecache.patch new file mode 100644 index 00000000000..f4208312bc5 --- /dev/null +++ b/queue-4.17/fuse-atomic_o_trunc-should-truncate-pagecache.patch @@ -0,0 +1,52 @@ +From df0e91d488276086bc07da2e389986cae0048c37 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 8 Feb 2018 15:17:38 +0100 +Subject: fuse: atomic_o_trunc should truncate pagecache + +From: Miklos Szeredi + +commit df0e91d488276086bc07da2e389986cae0048c37 upstream. + +Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the +O_TRUNC flag in the OPEN request to truncate the file atomically with the +open. + +In this mode there's no need to send a SETATTR request to userspace after +the open, so fuse_do_setattr() checks this mode and returns. But this +misses the important step of truncating the pagecache. + +Add the missing parts of truncation to the ATTR_OPEN branch. + +Reported-by: Chad Austin +Fixes: 6ff958edbf39 ("fuse: add atomic open+truncate support") +Signed-off-by: Miklos Szeredi +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1629,8 +1629,19 @@ int fuse_do_setattr(struct dentry *dentr + return err; + + if (attr->ia_valid & ATTR_OPEN) { +- if (fc->atomic_o_trunc) ++ /* This is coming from open(..., ... | O_TRUNC); */ ++ WARN_ON(!(attr->ia_valid & ATTR_SIZE)); ++ WARN_ON(attr->ia_size != 0); ++ if (fc->atomic_o_trunc) { ++ /* ++ * No need to send request to userspace, since actual ++ * truncation has already been done by OPEN. But still ++ * need to truncate page cache. ++ */ ++ i_size_write(inode, 0); ++ truncate_pagecache(inode, 0); + return 0; ++ } + file = NULL; + } + diff --git a/queue-4.17/fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch b/queue-4.17/fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch new file mode 100644 index 00000000000..6b552e5e143 --- /dev/null +++ b/queue-4.17/fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch @@ -0,0 +1,41 @@ +From 543b8f8662fe6d21f19958b666ab0051af9db21a Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 1 May 2018 13:12:14 +0900 +Subject: fuse: don't keep dead fuse_conn at fuse_fill_super(). + +From: Tetsuo Handa + +commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream. + +syzbot is reporting use-after-free at fuse_kill_sb_blk() [1]. +Since sb->s_fs_info field is not cleared after fc was released by +fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds +already released fc and tries to hold the lock. Fix this by clearing +sb->s_fs_info field after calling fuse_conn_put(). + +[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls") +Cc: John Muir +Cc: Csaba Henk +Cc: Anand Avati +Cc: # v2.6.31 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1179,6 +1179,7 @@ static int fuse_fill_super(struct super_ + fuse_dev_free(fud); + err_put_conn: + fuse_conn_put(fc); ++ sb->s_fs_info = NULL; + err_fput: + fput(file); + err: diff --git a/queue-4.17/fuse-fix-congested-state-leak-on-aborted-connections.patch b/queue-4.17/fuse-fix-congested-state-leak-on-aborted-connections.patch new file mode 100644 index 00000000000..65ae7641b2b --- /dev/null +++ b/queue-4.17/fuse-fix-congested-state-leak-on-aborted-connections.patch @@ -0,0 +1,49 @@ +From 8a301eb16d99983a4961f884690ec97b92e7dcfe Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 2 Feb 2018 09:54:14 -0800 +Subject: fuse: fix congested state leak on aborted connections + +From: Tejun Heo + +commit 8a301eb16d99983a4961f884690ec97b92e7dcfe upstream. + +If a connection gets aborted while congested, FUSE can leave +nr_wb_congested[] stuck until reboot causing wait_iff_congested() to +wait spuriously which can lead to severe performance degradation. + +The leak is caused by gating congestion state clearing with +fc->connected test in request_end(). This was added way back in 2009 +by 26c3679101db ("fuse: destroy bdi on umount"). While the commit +description doesn't explain why the test was added, it most likely was +to avoid dereferencing bdi after it got destroyed. + +Since then, bdi lifetime rules have changed many times and now we're +always guaranteed to have access to the bdi while the superblock is +alive (fc->sb). + +Drop fc->connected conditional to avoid leaking congestion states. + +Signed-off-by: Tejun Heo +Reported-by: Joshua Miller +Cc: Johannes Weiner +Cc: stable@vger.kernel.org # v2.6.29+ +Acked-by: Jan Kara +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -381,8 +381,7 @@ static void request_end(struct fuse_conn + if (!fc->blocked && waitqueue_active(&fc->blocked_waitq)) + wake_up(&fc->blocked_waitq); + +- if (fc->num_background == fc->congestion_threshold && +- fc->connected && fc->sb) { ++ if (fc->num_background == fc->congestion_threshold && fc->sb) { + clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC); + clear_bdi_congested(fc->sb->s_bdi, BLK_RW_ASYNC); + } diff --git a/queue-4.17/fuse-fix-control-dir-setup-and-teardown.patch b/queue-4.17/fuse-fix-control-dir-setup-and-teardown.patch new file mode 100644 index 00000000000..af9f9127706 --- /dev/null +++ b/queue-4.17/fuse-fix-control-dir-setup-and-teardown.patch @@ -0,0 +1,68 @@ +From 6becdb601bae2a043d7fb9762c4d48699528ea6e Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 31 May 2018 12:26:10 +0200 +Subject: fuse: fix control dir setup and teardown + +From: Miklos Szeredi + +commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream. + +syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1]. +Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode() +failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to +clear d_inode(dentry)->i_private field. + +Fix by only adding the dentry to the array after being fully set up. + +When tearing down the control directory, do d_invalidate() on it to get rid +of any mounts that might have been added. + +[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6 +Reported-by: syzbot +Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem") +Cc: # v2.6.18 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/control.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/fuse/control.c ++++ b/fs/fuse/control.c +@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr + if (!dentry) + return NULL; + +- fc->ctl_dentry[fc->ctl_ndents++] = dentry; + inode = new_inode(fuse_control_sb); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + return NULL; ++ } + + inode->i_ino = get_next_ino(); + inode->i_mode = mode; +@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr + set_nlink(inode, nlink); + inode->i_private = fc; + d_add(dentry, inode); ++ ++ fc->ctl_dentry[fc->ctl_ndents++] = dentry; ++ + return dentry; + } + +@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co + for (i = fc->ctl_ndents - 1; i >= 0; i--) { + struct dentry *dentry = fc->ctl_dentry[i]; + d_inode(dentry)->i_private = NULL; +- d_drop(dentry); ++ if (!i) { ++ /* Get rid of submounts: */ ++ d_invalidate(dentry); ++ } + dput(dentry); + } + drop_nlink(d_inode(fuse_control_sb->s_root)); diff --git a/queue-4.17/hwrng-core-always-drop-the-rng-in-hwrng_unregister.patch b/queue-4.17/hwrng-core-always-drop-the-rng-in-hwrng_unregister.patch new file mode 100644 index 00000000000..b9dcb348ed4 --- /dev/null +++ b/queue-4.17/hwrng-core-always-drop-the-rng-in-hwrng_unregister.patch @@ -0,0 +1,60 @@ +From 837bf7cc3b7504385ae0e829c72e470dfc27cf6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20B=C3=BCsch?= +Date: Thu, 14 Jun 2018 20:08:11 +0200 +Subject: hwrng: core - Always drop the RNG in hwrng_unregister() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Buesch + +commit 837bf7cc3b7504385ae0e829c72e470dfc27cf6c upstream. + +enable_best_rng() is used in hwrng_unregister() to switch away from the +currently active RNG, if that is the one currently being removed. +However enable_best_rng() might fail, if the next RNG's init routine +fails. In that case enable_best_rng() will return an error code and +the currently active RNG will remain active. +After unregistering this might lead to crashes due to use-after-free. + +Fix this by dropping the currently active RNG, if enable_best_rng() +failed. This will result in no RNG to be active, if the next-best +one failed to initialize. + +This problem was introduced by 142a27f0a731ddcf467546960a5585970ca98e21 + +Fixes: 142a27f0a731 ("hwrng: core - Reset user selected rng by...") +Reported-by: Wirz +Tested-by: Wirz +Signed-off-by: Michael Büsch +Cc: stable@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/hw_random/core.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/char/hw_random/core.c ++++ b/drivers/char/hw_random/core.c +@@ -516,11 +516,18 @@ EXPORT_SYMBOL_GPL(hwrng_register); + + void hwrng_unregister(struct hwrng *rng) + { ++ int err; ++ + mutex_lock(&rng_mutex); + + list_del(&rng->list); +- if (current_rng == rng) +- enable_best_rng(); ++ if (current_rng == rng) { ++ err = enable_best_rng(); ++ if (err) { ++ drop_current_rng(); ++ cur_rng_set_by_user = 0; ++ } ++ } + + if (list_empty(&rng_list)) { + mutex_unlock(&rng_mutex); diff --git a/queue-4.17/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch b/queue-4.17/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch new file mode 100644 index 00000000000..4ba2a15a390 --- /dev/null +++ b/queue-4.17/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch @@ -0,0 +1,68 @@ +From 08bb558ac11ab944e0539e78619d7b4c356278bd Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 23 May 2018 15:30:30 +0300 +Subject: IB/core: Make testing MR flags for writability a static inline function + +From: Jack Morgenstein + +commit 08bb558ac11ab944e0539e78619d7b4c356278bd upstream. + +Make the MR writability flags check, which is performed in umem.c, +a static inline function in file ib_verbs.h + +This allows the function to be used by low-level infiniband drivers. + +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/umem.c | 11 +---------- + include/rdma/ib_verbs.h | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -119,16 +119,7 @@ struct ib_umem *ib_umem_get(struct ib_uc + umem->length = size; + umem->address = addr; + umem->page_shift = PAGE_SHIFT; +- /* +- * We ask for writable memory if any of the following +- * access flags are set. "Local write" and "remote write" +- * obviously require write access. "Remote atomic" can do +- * things like fetch and add, which will modify memory, and +- * "MW bind" can change permissions by binding a window. +- */ +- umem->writable = !!(access & +- (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | +- IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND)); ++ umem->writable = ib_access_writable(access); + + if (access & IB_ACCESS_ON_DEMAND) { + ret = ib_umem_odp_get(context, umem, access); +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -3734,6 +3734,20 @@ static inline int ib_check_mr_access(int + return 0; + } + ++static inline bool ib_access_writable(int access_flags) ++{ ++ /* ++ * We have writable memory backing the MR if any of the following ++ * access flags are set. "Local write" and "remote write" obviously ++ * require write access. "Remote atomic" can do things like fetch and ++ * add, which will modify memory, and "MW bind" can change permissions ++ * by binding a window. ++ */ ++ return access_flags & ++ (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | ++ IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND); ++} ++ + /** + * ib_check_mr_status: lightweight check of MR status. + * This routine may provide status checks on a selected diff --git a/queue-4.17/ib-hfi1-fix-fault-injection-init-exit-issues.patch b/queue-4.17/ib-hfi1-fix-fault-injection-init-exit-issues.patch new file mode 100644 index 00000000000..98da429bbf4 --- /dev/null +++ b/queue-4.17/ib-hfi1-fix-fault-injection-init-exit-issues.patch @@ -0,0 +1,122 @@ +From 8c79d8223bb11b2f005695a32ddd3985de97727c Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Wed, 2 May 2018 06:42:44 -0700 +Subject: IB/hfi1: Fix fault injection init/exit issues + +From: Mike Marciniszyn + +commit 8c79d8223bb11b2f005695a32ddd3985de97727c upstream. + +There are config dependent code paths that expose panics in unload +paths both in this file and in debugfs_remove_recursive() because +CONFIG_FAULT_INJECTION and CONFIG_FAULT_INJECTION_DEBUG_FS can be +set independently. + +Having CONFIG_FAULT_INJECTION set and CONFIG_FAULT_INJECTION_DEBUG_FS +reset causes fault_create_debugfs_attr() to return an error. + +The debugfs.c routines tolerate failures, but the module unload panics +dereferencing a NULL in the two exit routines. If that is fixed, the +dir passed to debugfs_remove_recursive comes from a memory location +that was freed and potentially reused causing a segfault or corrupting +memory. + +Here is an example of the NULL deref panic: + +[66866.286829] BUG: unable to handle kernel NULL pointer dereference at 0000000000000088 +[66866.295602] IP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] +[66866.301138] PGD 858496067 P4D 858496067 PUD 8433a7067 PMD 0 +[66866.307452] Oops: 0000 [#1] SMP +[66866.310953] Modules linked in: hfi1(-) rdmavt rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm iw_cm ib_cm ib_core rpcsec_gss_krb5 nfsv4 dns_resolver nfsv3 nfs fscache sb_edac x86_pkg_temp_thermal intel_powerclamp vfat fat coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel iTCO_wdt iTCO_vendor_support crypto_simd mei_me glue_helper cryptd mxm_wmi ipmi_si pcspkr lpc_ich sg mei ioatdma ipmi_devintf i2c_i801 mfd_core shpchp ipmi_msghandler wmi acpi_power_meter acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sd_mod mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt igb fb_sys_fops ttm ahci ptp crc32c_intel libahci pps_core drm dca libata i2c_algo_bit i2c_core [last unloaded: opa_vnic] +[66866.385551] CPU: 8 PID: 7470 Comm: rmmod Not tainted 4.14.0-mam-tid-rdma #2 +[66866.393317] Hardware name: Intel Corporation S2600WT2/S2600WT2, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016 +[66866.405252] task: ffff88084f28c380 task.stack: ffffc90008454000 +[66866.411866] RIP: 0010:hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] +[66866.417984] RSP: 0018:ffffc90008457da0 EFLAGS: 00010202 +[66866.423812] RAX: 0000000000000000 RBX: ffff880857de0000 RCX: 0000000180040001 +[66866.431773] RDX: 0000000180040002 RSI: ffffea0021088200 RDI: 0000000040000000 +[66866.439734] RBP: ffffc90008457da8 R08: ffff88084220e000 R09: 0000000180040001 +[66866.447696] R10: 000000004220e001 R11: ffff88084220e000 R12: ffff88085a31c000 +[66866.455657] R13: ffffffffa07c9820 R14: ffffffffa07c9890 R15: ffff881059d78100 +[66866.463618] FS: 00007f6876047740(0000) GS:ffff88085f800000(0000) knlGS:0000000000000000 +[66866.472644] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[66866.479053] CR2: 0000000000000088 CR3: 0000000856357006 CR4: 00000000001606e0 +[66866.487013] Call Trace: +[66866.489747] remove_one+0x1f/0x220 [hfi1] +[66866.494221] pci_device_remove+0x39/0xc0 +[66866.498596] device_release_driver_internal+0x141/0x210 +[66866.504424] driver_detach+0x3f/0x80 +[66866.508409] bus_remove_driver+0x55/0xd0 +[66866.512784] driver_unregister+0x2c/0x50 +[66866.517164] pci_unregister_driver+0x2a/0xa0 +[66866.521934] hfi1_mod_cleanup+0x10/0xaa2 [hfi1] +[66866.526988] SyS_delete_module+0x171/0x250 +[66866.531558] do_syscall_64+0x67/0x1b0 +[66866.535644] entry_SYSCALL64_slow_path+0x25/0x25 +[66866.540792] RIP: 0033:0x7f6875525c27 +[66866.544777] RSP: 002b:00007ffd48528e78 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 +[66866.553224] RAX: ffffffffffffffda RBX: 0000000001cc01d0 RCX: 00007f6875525c27 +[66866.561185] RDX: 00007f6875596000 RSI: 0000000000000800 RDI: 0000000001cc0238 +[66866.569146] RBP: 0000000000000000 R08: 00007f68757e9060 R09: 00007f6875596000 +[66866.577120] R10: 00007ffd48528c00 R11: 0000000000000206 R12: 00007ffd48529db4 +[66866.585080] R13: 0000000000000000 R14: 0000000001cc01d0 R15: 0000000001cc0010 +[66866.593040] Code: 90 0f 1f 44 00 00 48 83 3d a3 8b 03 00 00 55 48 89 e5 53 48 89 fb 74 4e 48 8d bf 18 0c 00 00 e8 9d f2 ff ff 48 8b 83 20 0c 00 00 <48> 8b b8 88 00 00 00 e8 2a 21 b3 e0 48 8b bb 20 0c 00 00 e8 0e +[66866.614127] RIP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] RSP: ffffc90008457da0 +[66866.621885] CR2: 0000000000000088 +[66866.625618] ---[ end trace c4817425783fb092 ]--- + +Fix by insuring that upon failure from fault_create_debugfs_attr() the +parent pointer for the routines is always set to NULL and guards added +in the exit routines to insure that debugfs_remove_recursive() is not +called when when the parent pointer is NULL. + +Fixes: 0181ce31b260 ("IB/hfi1: Add receive fault injection feature") +Cc: # 4.14.x +Reviewed-by: Michael J. Ruhl +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/debugfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/debugfs.c ++++ b/drivers/infiniband/hw/hfi1/debugfs.c +@@ -1227,7 +1227,8 @@ DEBUGFS_FILE_OPS(fault_stats); + + static void fault_exit_opcode_debugfs(struct hfi1_ibdev *ibd) + { +- debugfs_remove_recursive(ibd->fault_opcode->dir); ++ if (ibd->fault_opcode) ++ debugfs_remove_recursive(ibd->fault_opcode->dir); + kfree(ibd->fault_opcode); + ibd->fault_opcode = NULL; + } +@@ -1255,6 +1256,7 @@ static int fault_init_opcode_debugfs(str + &ibd->fault_opcode->attr); + if (IS_ERR(ibd->fault_opcode->dir)) { + kfree(ibd->fault_opcode); ++ ibd->fault_opcode = NULL; + return -ENOENT; + } + +@@ -1278,7 +1280,8 @@ fail: + + static void fault_exit_packet_debugfs(struct hfi1_ibdev *ibd) + { +- debugfs_remove_recursive(ibd->fault_packet->dir); ++ if (ibd->fault_packet) ++ debugfs_remove_recursive(ibd->fault_packet->dir); + kfree(ibd->fault_packet); + ibd->fault_packet = NULL; + } +@@ -1304,6 +1307,7 @@ static int fault_init_packet_debugfs(str + &ibd->fault_opcode->attr); + if (IS_ERR(ibd->fault_packet->dir)) { + kfree(ibd->fault_packet); ++ ibd->fault_packet = NULL; + return -ENOENT; + } + diff --git a/queue-4.17/ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch b/queue-4.17/ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch new file mode 100644 index 00000000000..84fda1b59c0 --- /dev/null +++ b/queue-4.17/ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch @@ -0,0 +1,123 @@ +From 1bc0299d976e000ececc6acd76e33b4582646cb7 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Thu, 31 May 2018 11:30:09 -0700 +Subject: IB/hfi1: Fix user context tail allocation for DMA_RTAIL + +From: Mike Marciniszyn + +commit 1bc0299d976e000ececc6acd76e33b4582646cb7 upstream. + +The following code fails to allocate a buffer for the +tail address that the hardware DMAs into when the user +context DMA_RTAIL is set. + +if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) { + rcd->rcvhdrtail_kvaddr = dma_zalloc_coherent( + &dd->pcidev->dev, PAGE_SIZE, &dma_hdrqtail, + gfp_flags); + if (!rcd->rcvhdrtail_kvaddr) + goto bail_free; + rcd->rcvhdrqtailaddr_dma = dma_hdrqtail; +} + +So the rcvhdrtail_kvaddr would then be NULL. + +The mmap logic fails to check for a NULL rcvhdrtail_kvaddr. + +The fix is to test for both user and kernel DMA_TAIL options +during the allocation as well as testing for a NULL +rcvhdrtail_kvaddr during the mmap processing. + +Additionally, all downstream testing of the capmask for DMA_RTAIL +have been eliminated in favor of testing rcvhdrtail_kvaddr. + +Cc: # 4.9.x +Reviewed-by: Michael J. Ruhl +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/chip.c | 8 ++++---- + drivers/infiniband/hw/hfi1/file_ops.c | 2 +- + drivers/infiniband/hw/hfi1/init.c | 9 ++++----- + 3 files changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -6829,7 +6829,7 @@ static void rxe_kernel_unfreeze(struct h + } + rcvmask = HFI1_RCVCTRL_CTXT_ENB; + /* HFI1_RCVCTRL_TAILUPD_[ENB|DIS] needs to be set explicitly */ +- rcvmask |= HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL) ? ++ rcvmask |= rcd->rcvhdrtail_kvaddr ? + HFI1_RCVCTRL_TAILUPD_ENB : HFI1_RCVCTRL_TAILUPD_DIS; + hfi1_rcvctrl(dd, rcvmask, rcd); + hfi1_rcd_put(rcd); +@@ -8355,7 +8355,7 @@ static inline int check_packet_present(s + u32 tail; + int present; + +- if (!HFI1_CAP_IS_KSET(DMA_RTAIL)) ++ if (!rcd->rcvhdrtail_kvaddr) + present = (rcd->seq_cnt == + rhf_rcv_seq(rhf_to_cpu(get_rhf_addr(rcd)))); + else /* is RDMA rtail */ +@@ -11823,7 +11823,7 @@ void hfi1_rcvctrl(struct hfi1_devdata *d + /* reset the tail and hdr addresses, and sequence count */ + write_kctxt_csr(dd, ctxt, RCV_HDR_ADDR, + rcd->rcvhdrq_dma); +- if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) ++ if (rcd->rcvhdrtail_kvaddr) + write_kctxt_csr(dd, ctxt, RCV_HDR_TAIL_ADDR, + rcd->rcvhdrqtailaddr_dma); + rcd->seq_cnt = 1; +@@ -11903,7 +11903,7 @@ void hfi1_rcvctrl(struct hfi1_devdata *d + rcvctrl |= RCV_CTXT_CTRL_INTR_AVAIL_SMASK; + if (op & HFI1_RCVCTRL_INTRAVAIL_DIS) + rcvctrl &= ~RCV_CTXT_CTRL_INTR_AVAIL_SMASK; +- if (op & HFI1_RCVCTRL_TAILUPD_ENB && rcd->rcvhdrqtailaddr_dma) ++ if ((op & HFI1_RCVCTRL_TAILUPD_ENB) && rcd->rcvhdrtail_kvaddr) + rcvctrl |= RCV_CTXT_CTRL_TAIL_UPD_SMASK; + if (op & HFI1_RCVCTRL_TAILUPD_DIS) { + /* See comment on RcvCtxtCtrl.TailUpd above */ +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -505,7 +505,7 @@ static int hfi1_file_mmap(struct file *f + ret = -EINVAL; + goto done; + } +- if (flags & VM_WRITE) { ++ if ((flags & VM_WRITE) || !uctxt->rcvhdrtail_kvaddr) { + ret = -EPERM; + goto done; + } +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1844,7 +1844,6 @@ int hfi1_create_rcvhdrq(struct hfi1_devd + u64 reg; + + if (!rcd->rcvhdrq) { +- dma_addr_t dma_hdrqtail; + gfp_t gfp_flags; + + /* +@@ -1869,13 +1868,13 @@ int hfi1_create_rcvhdrq(struct hfi1_devd + goto bail; + } + +- if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) { ++ if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL) || ++ HFI1_CAP_UGET_MASK(rcd->flags, DMA_RTAIL)) { + rcd->rcvhdrtail_kvaddr = dma_zalloc_coherent( +- &dd->pcidev->dev, PAGE_SIZE, &dma_hdrqtail, +- gfp_flags); ++ &dd->pcidev->dev, PAGE_SIZE, ++ &rcd->rcvhdrqtailaddr_dma, gfp_flags); + if (!rcd->rcvhdrtail_kvaddr) + goto bail_free; +- rcd->rcvhdrqtailaddr_dma = dma_hdrqtail; + } + + rcd->rcvhdrq_size = amt; diff --git a/queue-4.17/ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch b/queue-4.17/ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch new file mode 100644 index 00000000000..bdae5964ede --- /dev/null +++ b/queue-4.17/ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch @@ -0,0 +1,119 @@ +From af8aab71370a692eaf7e7969ba5b1a455ac20113 Mon Sep 17 00:00:00 2001 +From: Sebastian Sanchez +Date: Wed, 2 May 2018 06:43:39 -0700 +Subject: IB/hfi1: Optimize kthread pointer locking when queuing CQ entries + +From: Sebastian Sanchez + +commit af8aab71370a692eaf7e7969ba5b1a455ac20113 upstream. + +All threads queuing CQ entries on different CQs are unnecessarily +synchronized by a spin lock to check if the CQ kthread worker hasn't +been destroyed before queuing an CQ entry. + +The lock used in 6efaf10f163d ("IB/rdmavt: Avoid queuing work into a +destroyed cq kthread worker") is a device global lock and will have +poor performance at scale as completions are entered from a large +number of CPUs. + +Convert to use RCU where the read side of RCU is rvt_cq_enter() to +determine that the worker is alive prior to triggering the +completion event. +Apply write side RCU semantics in rvt_driver_cq_init() and +rvt_cq_exit(). + +Fixes: 6efaf10f163d ("IB/rdmavt: Avoid queuing work into a destroyed cq kthread worker") +Cc: # 4.14.x +Reviewed-by: Mike Marciniszyn +Signed-off-by: Sebastian Sanchez +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rdmavt/cq.c | 31 +++++++++++++++++++------------ + include/rdma/rdma_vt.h | 2 +- + 2 files changed, 20 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/sw/rdmavt/cq.c ++++ b/drivers/infiniband/sw/rdmavt/cq.c +@@ -120,17 +120,20 @@ void rvt_cq_enter(struct rvt_cq *cq, str + if (cq->notify == IB_CQ_NEXT_COMP || + (cq->notify == IB_CQ_SOLICITED && + (solicited || entry->status != IB_WC_SUCCESS))) { ++ struct kthread_worker *worker; ++ + /* + * This will cause send_complete() to be called in + * another thread. + */ +- spin_lock(&cq->rdi->n_cqs_lock); +- if (likely(cq->rdi->worker)) { ++ rcu_read_lock(); ++ worker = rcu_dereference(cq->rdi->worker); ++ if (likely(worker)) { + cq->notify = RVT_CQ_NONE; + cq->triggered++; +- kthread_queue_work(cq->rdi->worker, &cq->comptask); ++ kthread_queue_work(worker, &cq->comptask); + } +- spin_unlock(&cq->rdi->n_cqs_lock); ++ rcu_read_unlock(); + } + + spin_unlock_irqrestore(&cq->lock, flags); +@@ -512,7 +515,7 @@ int rvt_driver_cq_init(struct rvt_dev_in + int cpu; + struct kthread_worker *worker; + +- if (rdi->worker) ++ if (rcu_access_pointer(rdi->worker)) + return 0; + + spin_lock_init(&rdi->n_cqs_lock); +@@ -524,7 +527,7 @@ int rvt_driver_cq_init(struct rvt_dev_in + return PTR_ERR(worker); + + set_user_nice(worker->task, MIN_NICE); +- rdi->worker = worker; ++ RCU_INIT_POINTER(rdi->worker, worker); + return 0; + } + +@@ -536,15 +539,19 @@ void rvt_cq_exit(struct rvt_dev_info *rd + { + struct kthread_worker *worker; + +- /* block future queuing from send_complete() */ +- spin_lock_irq(&rdi->n_cqs_lock); +- worker = rdi->worker; ++ if (!rcu_access_pointer(rdi->worker)) ++ return; ++ ++ spin_lock(&rdi->n_cqs_lock); ++ worker = rcu_dereference_protected(rdi->worker, ++ lockdep_is_held(&rdi->n_cqs_lock)); + if (!worker) { +- spin_unlock_irq(&rdi->n_cqs_lock); ++ spin_unlock(&rdi->n_cqs_lock); + return; + } +- rdi->worker = NULL; +- spin_unlock_irq(&rdi->n_cqs_lock); ++ RCU_INIT_POINTER(rdi->worker, NULL); ++ spin_unlock(&rdi->n_cqs_lock); ++ synchronize_rcu(); + + kthread_destroy_worker(worker); + } +--- a/include/rdma/rdma_vt.h ++++ b/include/rdma/rdma_vt.h +@@ -402,7 +402,7 @@ struct rvt_dev_info { + spinlock_t pending_lock; /* protect pending mmap list */ + + /* CQ */ +- struct kthread_worker *worker; /* per device cq worker */ ++ struct kthread_worker __rcu *worker; /* per device cq worker */ + u32 n_cqs_allocated; /* number of CQs allocated for device */ + spinlock_t n_cqs_lock; /* protect count of in use cqs */ + diff --git a/queue-4.17/ib-hfi1-qib-add-handling-of-kernel-restart.patch b/queue-4.17/ib-hfi1-qib-add-handling-of-kernel-restart.patch new file mode 100644 index 00000000000..005a0b2e2c6 --- /dev/null +++ b/queue-4.17/ib-hfi1-qib-add-handling-of-kernel-restart.patch @@ -0,0 +1,134 @@ +From 8d3e71136a080d007620472f50c7b3e63ba0f5cf Mon Sep 17 00:00:00 2001 +From: Alex Estrin +Date: Wed, 2 May 2018 06:43:15 -0700 +Subject: IB/{hfi1, qib}: Add handling of kernel restart + +From: Alex Estrin + +commit 8d3e71136a080d007620472f50c7b3e63ba0f5cf upstream. + +A warm restart will fail to unload the driver, leaving link state +potentially flapping up to the point the BIOS resets the adapter. +Correct the issue by hooking the shutdown pci method, +which will bring port down. + +Cc: # 4.9.x +Reviewed-by: Mike Marciniszyn +Signed-off-by: Alex Estrin +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/hfi.h | 1 + + drivers/infiniband/hw/hfi1/init.c | 13 +++++++++++++ + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/infiniband/hw/qib/qib_init.c | 13 +++++++++++++ + 4 files changed, 28 insertions(+) + +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1856,6 +1856,7 @@ struct cc_state *get_cc_state_protected( + #define HFI1_HAS_SDMA_TIMEOUT 0x8 + #define HFI1_HAS_SEND_DMA 0x10 /* Supports Send DMA */ + #define HFI1_FORCED_FREEZE 0x80 /* driver forced freeze mode */ ++#define HFI1_SHUTDOWN 0x100 /* device is shutting down */ + + /* IB dword length mask in PBC (lower 11 bits); same for all chips */ + #define HFI1_PBC_LENGTH_MASK ((1 << 11) - 1) +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1058,6 +1058,10 @@ static void shutdown_device(struct hfi1_ + unsigned pidx; + int i; + ++ if (dd->flags & HFI1_SHUTDOWN) ++ return; ++ dd->flags |= HFI1_SHUTDOWN; ++ + for (pidx = 0; pidx < dd->num_pports; ++pidx) { + ppd = dd->pport + pidx; + +@@ -1391,6 +1395,7 @@ void hfi1_disable_after_error(struct hfi + + static void remove_one(struct pci_dev *); + static int init_one(struct pci_dev *, const struct pci_device_id *); ++static void shutdown_one(struct pci_dev *); + + #define DRIVER_LOAD_MSG "Intel " DRIVER_NAME " loaded: " + #define PFX DRIVER_NAME ": " +@@ -1407,6 +1412,7 @@ static struct pci_driver hfi1_pci_driver + .name = DRIVER_NAME, + .probe = init_one, + .remove = remove_one, ++ .shutdown = shutdown_one, + .id_table = hfi1_pci_tbl, + .err_handler = &hfi1_pci_err_handler, + }; +@@ -1816,6 +1822,13 @@ static void remove_one(struct pci_dev *p + postinit_cleanup(dd); + } + ++static void shutdown_one(struct pci_dev *pdev) ++{ ++ struct hfi1_devdata *dd = pci_get_drvdata(pdev); ++ ++ shutdown_device(dd); ++} ++ + /** + * hfi1_create_rcvhdrq - create a receive header queue + * @dd: the hfi1_ib device +--- a/drivers/infiniband/hw/qib/qib.h ++++ b/drivers/infiniband/hw/qib/qib.h +@@ -1228,6 +1228,7 @@ static inline struct qib_ibport *to_ipor + #define QIB_BADINTR 0x8000 /* severe interrupt problems */ + #define QIB_DCA_ENABLED 0x10000 /* Direct Cache Access enabled */ + #define QIB_HAS_QSFP 0x20000 /* device (card instance) has QSFP */ ++#define QIB_SHUTDOWN 0x40000 /* device is shutting down */ + + /* + * values for ppd->lflags (_ib_port_ related flags) +--- a/drivers/infiniband/hw/qib/qib_init.c ++++ b/drivers/infiniband/hw/qib/qib_init.c +@@ -841,6 +841,10 @@ static void qib_shutdown_device(struct q + struct qib_pportdata *ppd; + unsigned pidx; + ++ if (dd->flags & QIB_SHUTDOWN) ++ return; ++ dd->flags |= QIB_SHUTDOWN; ++ + for (pidx = 0; pidx < dd->num_pports; ++pidx) { + ppd = dd->pport + pidx; + +@@ -1182,6 +1186,7 @@ void qib_disable_after_error(struct qib_ + + static void qib_remove_one(struct pci_dev *); + static int qib_init_one(struct pci_dev *, const struct pci_device_id *); ++static void qib_shutdown_one(struct pci_dev *); + + #define DRIVER_LOAD_MSG "Intel " QIB_DRV_NAME " loaded: " + #define PFX QIB_DRV_NAME ": " +@@ -1199,6 +1204,7 @@ static struct pci_driver qib_driver = { + .name = QIB_DRV_NAME, + .probe = qib_init_one, + .remove = qib_remove_one, ++ .shutdown = qib_shutdown_one, + .id_table = qib_pci_tbl, + .err_handler = &qib_pci_err_handler, + }; +@@ -1549,6 +1555,13 @@ static void qib_remove_one(struct pci_de + qib_postinit_cleanup(dd); + } + ++static void qib_shutdown_one(struct pci_dev *pdev) ++{ ++ struct qib_devdata *dd = pci_get_drvdata(pdev); ++ ++ qib_shutdown_device(dd); ++} ++ + /** + * qib_create_rcvhdrq - create a receive header queue + * @dd: the qlogic_ib device diff --git a/queue-4.17/ib-hfi1-reorder-incorrect-send-context-disable.patch b/queue-4.17/ib-hfi1-reorder-incorrect-send-context-disable.patch new file mode 100644 index 00000000000..e2896e4cd1f --- /dev/null +++ b/queue-4.17/ib-hfi1-reorder-incorrect-send-context-disable.patch @@ -0,0 +1,123 @@ +From a93a0a31111231bb1949f4a83b17238f0fa32d6a Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Wed, 2 May 2018 06:43:07 -0700 +Subject: IB/hfi1: Reorder incorrect send context disable + +From: Michael J. Ruhl + +commit a93a0a31111231bb1949f4a83b17238f0fa32d6a upstream. + +User send context integrity bits are cleared before the context is +disabled. If the send context is still processing data, any packets +that need those integrity bits will cause an error and halt the send +context. + +During the disable handling, the driver waits for the context to drain. +If the context is halted, the driver will eventually timeout because +the context won't drain and then incorrectly bounce the link. + +Reorder the bit clearing and the context disable. + +Examine the software state and send context status as well as the +egress status to determine if a send context is in the halted state. + +Promote the check macros to static functions for consistency with the +new check and to follow kernel style. + +Remove an unused define that refers to the egress timeout. + +Cc: # 4.9.x +Reviewed-by: Mitko Haralanov +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/file_ops.c | 2 - + drivers/infiniband/hw/hfi1/pio.c | 44 ++++++++++++++++++++++++++-------- + 2 files changed, 35 insertions(+), 11 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -689,8 +689,8 @@ static int hfi1_file_close(struct inode + * checks to default and disable the send context. + */ + if (uctxt->sc) { +- set_pio_integrity(uctxt->sc); + sc_disable(uctxt->sc); ++ set_pio_integrity(uctxt->sc); + } + + hfi1_free_ctxt_rcv_groups(uctxt); +--- a/drivers/infiniband/hw/hfi1/pio.c ++++ b/drivers/infiniband/hw/hfi1/pio.c +@@ -50,8 +50,6 @@ + #include "qp.h" + #include "trace.h" + +-#define SC_CTXT_PACKET_EGRESS_TIMEOUT 350 /* in chip cycles */ +- + #define SC(name) SEND_CTXT_##name + /* + * Send Context functions +@@ -961,15 +959,40 @@ void sc_disable(struct send_context *sc) + } + + /* return SendEgressCtxtStatus.PacketOccupancy */ +-#define packet_occupancy(r) \ +- (((r) & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SMASK)\ +- >> SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SHIFT) ++static u64 packet_occupancy(u64 reg) ++{ ++ return (reg & ++ SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SMASK) ++ >> SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SHIFT; ++} + + /* is egress halted on the context? */ +-#define egress_halted(r) \ +- ((r) & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_HALT_STATUS_SMASK) ++static bool egress_halted(u64 reg) ++{ ++ return !!(reg & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_HALT_STATUS_SMASK); ++} ++ ++/* is the send context halted? */ ++static bool is_sc_halted(struct hfi1_devdata *dd, u32 hw_context) ++{ ++ return !!(read_kctxt_csr(dd, hw_context, SC(STATUS)) & ++ SC(STATUS_CTXT_HALTED_SMASK)); ++} + +-/* wait for packet egress, optionally pause for credit return */ ++/** ++ * sc_wait_for_packet_egress ++ * @sc: valid send context ++ * @pause: wait for credit return ++ * ++ * Wait for packet egress, optionally pause for credit return ++ * ++ * Egress halt and Context halt are not necessarily the same thing, so ++ * check for both. ++ * ++ * NOTE: The context halt bit may not be set immediately. Because of this, ++ * it is necessary to check the SW SFC_HALTED bit (set in the IRQ) and the HW ++ * context bit to determine if the context is halted. ++ */ + static void sc_wait_for_packet_egress(struct send_context *sc, int pause) + { + struct hfi1_devdata *dd = sc->dd; +@@ -981,8 +1004,9 @@ static void sc_wait_for_packet_egress(st + reg_prev = reg; + reg = read_csr(dd, sc->hw_context * 8 + + SEND_EGRESS_CTXT_STATUS); +- /* done if egress is stopped */ +- if (egress_halted(reg)) ++ /* done if any halt bits, SW or HW are set */ ++ if (sc->flags & SCF_HALTED || ++ is_sc_halted(dd, sc->hw_context) || egress_halted(reg)) + break; + reg = packet_occupancy(reg); + if (reg == 0) diff --git a/queue-4.17/ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch b/queue-4.17/ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch new file mode 100644 index 00000000000..087b06cfc93 --- /dev/null +++ b/queue-4.17/ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch @@ -0,0 +1,114 @@ +From 763b69654bfb88ea3230d015e7d755ee8339f8ee Mon Sep 17 00:00:00 2001 +From: Alex Estrin +Date: Tue, 15 May 2018 18:31:39 -0700 +Subject: IB/isert: Fix for lib/dma_debug check_sync warning + +From: Alex Estrin + +commit 763b69654bfb88ea3230d015e7d755ee8339f8ee upstream. + +The following error message occurs on a target host in a debug build +during session login: + +[ 3524.411874] WARNING: CPU: 5 PID: 12063 at lib/dma-debug.c:1207 check_sync+0x4ec/0x5b0 +[ 3524.421057] infiniband hfi1_0: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x0000000000000000] [size=76 bytes] +......snip ..... + +[ 3524.535846] CPU: 5 PID: 12063 Comm: iscsi_np Kdump: loaded Not tainted 3.10.0-862.el7.x86_64.debug #1 +[ 3524.546764] Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.2.6 06/08/2015 +[ 3524.555740] Call Trace: +[ 3524.559102] [] dump_stack+0x19/0x1b +[ 3524.565477] [] __warn+0xd8/0x100 +[ 3524.571557] [] warn_slowpath_fmt+0x5f/0x80 +[ 3524.578610] [] check_sync+0x4ec/0x5b0 +[ 3524.585177] [] ? set_cpus_allowed_ptr+0x5f/0x1c0 +[ 3524.592812] [] debug_dma_sync_single_for_cpu+0x80/0x90 +[ 3524.601029] [] ? x2apic_send_IPI_mask+0x13/0x20 +[ 3524.608574] [] ? native_smp_send_reschedule+0x5b/0x80 +[ 3524.616699] [] ? resched_curr+0xf6/0x140 +[ 3524.623567] [] isert_create_send_desc.isra.26+0xe0/0x110 [ib_isert] +[ 3524.633060] [] isert_put_login_tx+0x55/0x8b0 [ib_isert] +[ 3524.641383] [] ? try_to_wake_up+0x1a4/0x430 +[ 3524.648561] [] iscsi_target_do_tx_login_io+0xdd/0x230 [iscsi_target_mod] +[ 3524.658557] [] iscsi_target_do_login+0x1a7/0x600 [iscsi_target_mod] +[ 3524.668084] [] ? kstrdup+0x49/0x60 +[ 3524.674420] [] iscsi_target_start_negotiation+0x56/0xc0 [iscsi_target_mod] +[ 3524.684656] [] __iscsi_target_login_thread+0x90e/0x1070 [iscsi_target_mod] +[ 3524.694901] [] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod] +[ 3524.705446] [] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod] +[ 3524.715976] [] iscsi_target_login_thread+0x28/0x60 [iscsi_target_mod] +[ 3524.725739] [] kthread+0xef/0x100 +[ 3524.732007] [] ? insert_kthread_work+0x80/0x80 +[ 3524.739540] [] ret_from_fork_nospec_begin+0x21/0x21 +[ 3524.747558] [] ? insert_kthread_work+0x80/0x80 +[ 3524.755088] ---[ end trace 23f8bf9238bd1ed8 ]--- +[ 3595.510822] iSCSI/iqn.1994-05.com.redhat:537fa56299: Unsupported SCSI Opcode 0xa3, sending CHECK_CONDITION. + +The code calls dma_sync on login_tx_desc->dma_addr prior to initializing it +with dma-mapped address. +login_tx_desc is a part of iser_conn structure and is used only once +during login negotiation, so the issue is fixed by eliminating +dma_sync call for this buffer using a special case routine. + +Cc: +Reviewed-by: Mike Marciniszyn +Reviewed-by: Don Dutile +Signed-off-by: Alex Estrin +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -886,15 +886,9 @@ isert_login_post_send(struct isert_conn + } + + static void +-isert_create_send_desc(struct isert_conn *isert_conn, +- struct isert_cmd *isert_cmd, +- struct iser_tx_desc *tx_desc) ++__isert_create_send_desc(struct isert_device *device, ++ struct iser_tx_desc *tx_desc) + { +- struct isert_device *device = isert_conn->device; +- struct ib_device *ib_dev = device->ib_device; +- +- ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr, +- ISER_HEADERS_LEN, DMA_TO_DEVICE); + + memset(&tx_desc->iser_header, 0, sizeof(struct iser_ctrl)); + tx_desc->iser_header.flags = ISCSI_CTRL; +@@ -907,6 +901,20 @@ isert_create_send_desc(struct isert_conn + } + } + ++static void ++isert_create_send_desc(struct isert_conn *isert_conn, ++ struct isert_cmd *isert_cmd, ++ struct iser_tx_desc *tx_desc) ++{ ++ struct isert_device *device = isert_conn->device; ++ struct ib_device *ib_dev = device->ib_device; ++ ++ ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr, ++ ISER_HEADERS_LEN, DMA_TO_DEVICE); ++ ++ __isert_create_send_desc(device, tx_desc); ++} ++ + static int + isert_init_tx_hdrs(struct isert_conn *isert_conn, + struct iser_tx_desc *tx_desc) +@@ -994,7 +1002,7 @@ isert_put_login_tx(struct iscsi_conn *co + struct iser_tx_desc *tx_desc = &isert_conn->login_tx_desc; + int ret; + +- isert_create_send_desc(isert_conn, NULL, tx_desc); ++ __isert_create_send_desc(device, tx_desc); + + memcpy(&tx_desc->iscsi_header, &login->rsp[0], + sizeof(struct iscsi_hdr)); diff --git a/queue-4.17/ib-isert-fix-t10-pi-check-mask-setting.patch b/queue-4.17/ib-isert-fix-t10-pi-check-mask-setting.patch new file mode 100644 index 00000000000..31e34d0a9ad --- /dev/null +++ b/queue-4.17/ib-isert-fix-t10-pi-check-mask-setting.patch @@ -0,0 +1,37 @@ +From 0e12af84cdd3056460f928adc164f9e87f4b303b Mon Sep 17 00:00:00 2001 +From: Max Gurtovoy +Date: Thu, 31 May 2018 11:05:23 +0300 +Subject: IB/isert: fix T10-pi check mask setting + +From: Max Gurtovoy + +commit 0e12af84cdd3056460f928adc164f9e87f4b303b upstream. + +A copy/paste bug (probably) caused setting of an app_tag check mask +in case where a ref_tag check was needed. + +Fixes: 38a2d0d429f1 ("IB/isert: convert to the generic RDMA READ/WRITE API") +Fixes: 9e961ae73c2c ("IB/isert: Support T10-PI protected transactions") +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Reviewed-by: Martin K. Petersen +Signed-off-by: Max Gurtovoy +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2116,7 +2116,7 @@ isert_set_sig_attrs(struct se_cmd *se_cm + + sig_attrs->check_mask = + (se_cmd->prot_checks & TARGET_DIF_CHECK_GUARD ? 0xc0 : 0) | +- (se_cmd->prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x30 : 0) | ++ (se_cmd->prot_checks & TARGET_DIF_CHECK_APPTAG ? 0x30 : 0) | + (se_cmd->prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x0f : 0); + return 0; + } diff --git a/queue-4.17/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch b/queue-4.17/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch new file mode 100644 index 00000000000..aa776ce061b --- /dev/null +++ b/queue-4.17/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch @@ -0,0 +1,120 @@ +From d8f9cc328c8888369880e2527e9186d745f2bbf6 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 23 May 2018 15:30:31 +0300 +Subject: IB/mlx4: Mark user MR as writable if actual virtual memory is writable + +From: Jack Morgenstein + +commit d8f9cc328c8888369880e2527e9186d745f2bbf6 upstream. + +To allow rereg_user_mr to modify the MR from read-only to writable without +using get_user_pages again, we needed to define the initial MR as writable. +However, this was originally done unconditionally, without taking into +account the writability of the underlying virtual memory. + +As a result, any attempt to register a read-only MR over read-only +virtual memory failed. + +To fix this, do not add the writable flag bit when the user virtual memory +is not writable (e.g. const memory). + +However, when the underlying memory is NOT writable (and we therefore +do not define the initial MR as writable), the IB core adds a +"force writable" flag to its user-pages request. If this succeeds, +the reg_user_mr caller gets a writable copy of the original pages. + +If the user-space caller then does a rereg_user_mr operation to enable +writability, this will succeed. This should not be allowed, since +the original virtual memory was not writable. + +Cc: +Fixes: 9376932d0c26 ("IB/mlx4_ib: Add support for user MR re-registration") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/mr.c | 50 +++++++++++++++++++++++++++++++++------- + 1 file changed, 42 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/mr.c ++++ b/drivers/infiniband/hw/mlx4/mr.c +@@ -367,6 +367,40 @@ end: + return block_shift; + } + ++static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start, ++ u64 length, u64 virt_addr, ++ int access_flags) ++{ ++ /* ++ * Force registering the memory as writable if the underlying pages ++ * are writable. This is so rereg can change the access permissions ++ * from readable to writable without having to run through ib_umem_get ++ * again ++ */ ++ if (!ib_access_writable(access_flags)) { ++ struct vm_area_struct *vma; ++ ++ down_read(¤t->mm->mmap_sem); ++ /* ++ * FIXME: Ideally this would iterate over all the vmas that ++ * cover the memory, but for now it requires a single vma to ++ * entirely cover the MR to support RO mappings. ++ */ ++ vma = find_vma(current->mm, start); ++ if (vma && vma->vm_end >= start + length && ++ vma->vm_start <= start) { ++ if (vma->vm_flags & VM_WRITE) ++ access_flags |= IB_ACCESS_LOCAL_WRITE; ++ } else { ++ access_flags |= IB_ACCESS_LOCAL_WRITE; ++ } ++ ++ up_read(¤t->mm->mmap_sem); ++ } ++ ++ return ib_umem_get(context, start, length, access_flags, 0); ++} ++ + struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + u64 virt_addr, int access_flags, + struct ib_udata *udata) +@@ -381,10 +415,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct + if (!mr) + return ERR_PTR(-ENOMEM); + +- /* Force registering the memory as writable. */ +- /* Used for memory re-registeration. HCA protects the access */ +- mr->umem = ib_umem_get(pd->uobject->context, start, length, +- access_flags | IB_ACCESS_LOCAL_WRITE, 0); ++ mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length, ++ virt_addr, access_flags); + if (IS_ERR(mr->umem)) { + err = PTR_ERR(mr->umem); + goto err_free; +@@ -454,6 +486,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr * + } + + if (flags & IB_MR_REREG_ACCESS) { ++ if (ib_access_writable(mr_access_flags) && !mmr->umem->writable) ++ return -EPERM; ++ + err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry, + convert_access(mr_access_flags)); + +@@ -467,10 +502,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr * + + mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr); + ib_umem_release(mmr->umem); +- mmr->umem = ib_umem_get(mr->uobject->context, start, length, +- mr_access_flags | +- IB_ACCESS_LOCAL_WRITE, +- 0); ++ mmr->umem = ++ mlx4_get_umem_mr(mr->uobject->context, start, length, ++ virt_addr, mr_access_flags); + if (IS_ERR(mmr->umem)) { + err = PTR_ERR(mmr->umem); + /* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */ diff --git a/queue-4.17/ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch b/queue-4.17/ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch new file mode 100644 index 00000000000..84fc0d1ddcf --- /dev/null +++ b/queue-4.17/ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch @@ -0,0 +1,82 @@ +From 7b74a83cf54a3747e22c57e25712bd70eef8acee Mon Sep 17 00:00:00 2001 +From: Erez Shitrit +Date: Mon, 21 May 2018 11:41:01 +0300 +Subject: IB/mlx5: Fetch soft WQE's on fatal error state + +From: Erez Shitrit + +commit 7b74a83cf54a3747e22c57e25712bd70eef8acee upstream. + +On fatal error the driver simulates CQE's for ULPs that rely on +completion of all their posted work-request. + +For the GSI traffic, the mlx5 has its own mechanism that sends the +completions via software CQE's directly to the relevant CQ. + +This should be kept in fatal error too, so the driver should simulate +such CQE's with the specified error state in order to complete GSI QP +work requests. + +Without the fix the next deadlock might appears: + schedule_timeout+0x274/0x350 + wait_for_common+0xec/0x240 + mcast_remove_one+0xd0/0x120 [ib_core] + ib_unregister_device+0x12c/0x230 [ib_core] + mlx5_ib_remove+0xc4/0x270 [mlx5_ib] + mlx5_detach_device+0x184/0x1a0 [mlx5_core] + mlx5_unload_one+0x308/0x340 [mlx5_core] + mlx5_pci_err_detected+0x74/0xe0 [mlx5_core] + +Cc: # 4.7 +Fixes: 89ea94a7b6c4 ("IB/mlx5: Reset flow support for IB kernel ULPs") +Signed-off-by: Erez Shitrit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/cq.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -637,7 +637,7 @@ repoll: + } + + static int poll_soft_wc(struct mlx5_ib_cq *cq, int num_entries, +- struct ib_wc *wc) ++ struct ib_wc *wc, bool is_fatal_err) + { + struct mlx5_ib_dev *dev = to_mdev(cq->ibcq.device); + struct mlx5_ib_wc *soft_wc, *next; +@@ -650,6 +650,10 @@ static int poll_soft_wc(struct mlx5_ib_c + mlx5_ib_dbg(dev, "polled software generated completion on CQ 0x%x\n", + cq->mcq.cqn); + ++ if (unlikely(is_fatal_err)) { ++ soft_wc->wc.status = IB_WC_WR_FLUSH_ERR; ++ soft_wc->wc.vendor_err = MLX5_CQE_SYNDROME_WR_FLUSH_ERR; ++ } + wc[npolled++] = soft_wc->wc; + list_del(&soft_wc->list); + kfree(soft_wc); +@@ -670,12 +674,17 @@ int mlx5_ib_poll_cq(struct ib_cq *ibcq, + + spin_lock_irqsave(&cq->lock, flags); + if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) { +- mlx5_ib_poll_sw_comp(cq, num_entries, wc, &npolled); ++ /* make sure no soft wqe's are waiting */ ++ if (unlikely(!list_empty(&cq->wc_list))) ++ soft_polled = poll_soft_wc(cq, num_entries, wc, true); ++ ++ mlx5_ib_poll_sw_comp(cq, num_entries - soft_polled, ++ wc + soft_polled, &npolled); + goto out; + } + + if (unlikely(!list_empty(&cq->wc_list))) +- soft_polled = poll_soft_wc(cq, num_entries, wc); ++ soft_polled = poll_soft_wc(cq, num_entries, wc, false); + + for (npolled = 0; npolled < num_entries - soft_polled; npolled++) { + if (mlx5_poll_one(cq, &cur_qp, wc + soft_polled + npolled)) diff --git a/queue-4.17/ib-qib-fix-dma-api-warning-with-debug-kernel.patch b/queue-4.17/ib-qib-fix-dma-api-warning-with-debug-kernel.patch new file mode 100644 index 00000000000..25ba52a05bd --- /dev/null +++ b/queue-4.17/ib-qib-fix-dma-api-warning-with-debug-kernel.patch @@ -0,0 +1,153 @@ +From 0252f73334f9ef68868e4684200bea3565a4fcee Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 18 May 2018 17:07:01 -0700 +Subject: IB/qib: Fix DMA api warning with debug kernel + +From: Mike Marciniszyn + +commit 0252f73334f9ef68868e4684200bea3565a4fcee upstream. + +The following error occurs in a debug build when running MPI PSM: + +[ 307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158 +check_unmap+0x4ee/0xa20 +[ 307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map +error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page] +[ 307.517494] Modules linked in: +[ 307.531584] ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma +sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib +scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm +ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm +irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg +ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt +iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler +ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod +crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea +sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common +drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core +[ 307.846113] pps_core dm_mirror dm_region_hash dm_log dm_mod +[ 307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not +tainted 3.10.0-862.el7.x86_64.debug #1 +[ 307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013 +[ 307.944206] Call Trace: +[ 307.956973] [] dump_stack+0x19/0x1b +[ 307.982201] [] __warn+0xd8/0x100 +[ 308.005999] [] warn_slowpath_fmt+0x5f/0x80 +[ 308.034260] [] check_unmap+0x4ee/0xa20 +[ 308.060801] [] ? page_add_file_rmap+0x2a/0x1d0 +[ 308.090689] [] debug_dma_unmap_page+0x9d/0xb0 +[ 308.120155] [] ? might_fault+0xa0/0xb0 +[ 308.146656] [] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib] +[ 308.180739] [] qib_write+0x894/0x1280 [ib_qib] +[ 308.210733] [] ? __inode_security_revalidate+0x70/0x80 +[ 308.244837] [] ? security_file_permission+0x27/0xb0 +[ 308.266025] qib_ib0.8006: multicast join failed for +ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22 +[ 308.323421] [] vfs_write+0xc3/0x1f0 +[ 308.347077] [] ? fget_light+0xfc/0x510 +[ 308.372533] [] SyS_write+0x8a/0x100 +[ 308.396456] [] system_call_fastpath+0x1c/0x21 + +The code calls a qib_map_page() which has never correctly tested for a +mapping error. + +Fix by testing for pci_dma_mapping_error() in all cases and properly +handling the failure in the caller. + +Additionally, streamline qib_map_page() arguments to satisfy just +the single caller. + +Cc: +Reviewed-by: Alex Estrin +Tested-by: Don Dutile +Reviewed-by: Don Dutile +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/qib/qib.h | 3 +-- + drivers/infiniband/hw/qib/qib_file_ops.c | 10 +++++++--- + drivers/infiniband/hw/qib/qib_user_pages.c | 20 ++++++++++++-------- + 3 files changed, 20 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/hw/qib/qib.h ++++ b/drivers/infiniband/hw/qib/qib.h +@@ -1423,8 +1423,7 @@ u64 qib_sps_ints(void); + /* + * dma_addr wrappers - all 0's invalid for hw + */ +-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long, +- size_t, int); ++int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr); + struct pci_dev *qib_get_pci_dev(struct rvt_dev_info *rdi); + + /* +--- a/drivers/infiniband/hw/qib/qib_file_ops.c ++++ b/drivers/infiniband/hw/qib/qib_file_ops.c +@@ -364,6 +364,8 @@ static int qib_tid_update(struct qib_ctx + goto done; + } + for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) { ++ dma_addr_t daddr; ++ + for (; ntids--; tid++) { + if (tid == tidcnt) + tid = 0; +@@ -380,12 +382,14 @@ static int qib_tid_update(struct qib_ctx + ret = -ENOMEM; + break; + } ++ ret = qib_map_page(dd->pcidev, pagep[i], &daddr); ++ if (ret) ++ break; ++ + tidlist[i] = tid + tidoff; + /* we "know" system pages and TID pages are same size */ + dd->pageshadow[ctxttid + tid] = pagep[i]; +- dd->physshadow[ctxttid + tid] = +- qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE, +- PCI_DMA_FROMDEVICE); ++ dd->physshadow[ctxttid + tid] = daddr; + /* + * don't need atomic or it's overhead + */ +--- a/drivers/infiniband/hw/qib/qib_user_pages.c ++++ b/drivers/infiniband/hw/qib/qib_user_pages.c +@@ -99,23 +99,27 @@ bail: + * + * I'm sure we won't be so lucky with other iommu's, so FIXME. + */ +-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page, +- unsigned long offset, size_t size, int direction) ++int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr) + { + dma_addr_t phys; + +- phys = pci_map_page(hwdev, page, offset, size, direction); ++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE); ++ if (pci_dma_mapping_error(hwdev, phys)) ++ return -ENOMEM; + +- if (phys == 0) { +- pci_unmap_page(hwdev, phys, size, direction); +- phys = pci_map_page(hwdev, page, offset, size, direction); ++ if (!phys) { ++ pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE); ++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, ++ PCI_DMA_FROMDEVICE); ++ if (pci_dma_mapping_error(hwdev, phys)) ++ return -ENOMEM; + /* + * FIXME: If we get 0 again, we should keep this page, + * map another, then free the 0 page. + */ + } +- +- return phys; ++ *daddr = phys; ++ return 0; + } + + /** diff --git a/queue-4.17/ib-uverbs-fix-ordering-of-ucontext-check-in-ib_uverbs_write.patch b/queue-4.17/ib-uverbs-fix-ordering-of-ucontext-check-in-ib_uverbs_write.patch new file mode 100644 index 00000000000..ec19356cd3c --- /dev/null +++ b/queue-4.17/ib-uverbs-fix-ordering-of-ucontext-check-in-ib_uverbs_write.patch @@ -0,0 +1,57 @@ +From 1eb9364ce81d9445ad6f9d44921a91d2a6597156 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 12 Jun 2018 09:40:23 -0600 +Subject: IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write + +From: Jason Gunthorpe + +commit 1eb9364ce81d9445ad6f9d44921a91d2a6597156 upstream. + +During disassociation the ucontext will become NULL, however due to how +the SRCU locking works the ucontext must only be examined after looking +at the ib_dev, which governs the RCU control flow. + +With the wrong ordering userspace will see EINVAL instead of EIO for a +disassociated uverbs FD, which breaks rdma-core. + +Cc: stable@vger.kernel.org +Fixes: 491d5c6a3023 ("RDMA/uverbs: Move uncontext check before SRCU read lock") +Reported-by: Mark Bloch +Signed-off-by: Jason Gunthorpe +Reviewed-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_main.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -734,10 +734,6 @@ static ssize_t ib_uverbs_write(struct fi + if (ret) + return ret; + +- if (!file->ucontext && +- (command != IB_USER_VERBS_CMD_GET_CONTEXT || extended)) +- return -EINVAL; +- + if (extended) { + if (count < (sizeof(hdr) + sizeof(ex_hdr))) + return -EINVAL; +@@ -757,6 +753,16 @@ static ssize_t ib_uverbs_write(struct fi + goto out; + } + ++ /* ++ * Must be after the ib_dev check, as once the RCU clears ib_dev == ++ * NULL means ucontext == NULL ++ */ ++ if (!file->ucontext && ++ (command != IB_USER_VERBS_CMD_GET_CONTEXT || extended)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + if (!verify_command_mask(ib_dev, command, extended)) { + ret = -EOPNOTSUPP; + goto out; diff --git a/queue-4.17/ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch b/queue-4.17/ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch new file mode 100644 index 00000000000..f876bd809f8 --- /dev/null +++ b/queue-4.17/ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch @@ -0,0 +1,42 @@ +From fe50a7d0393a552e4539da2d31261a59d6415950 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Tue, 22 May 2018 08:14:51 -0500 +Subject: ipmi:bt: Set the timeout before doing a capabilities check + +From: Corey Minyard + +commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream. + +There was one place where the timeout value for an operation was +not being set, if a capabilities request was done from idle. Move +the timeout value setting to before where that change might be +requested. + +IMHO the cause here is the invisible returns in the macros. Maybe +that's a job for later, though. + +Reported-by: Nordmark Claes +Signed-off-by: Corey Minyard +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_bt_sm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_bt_sm.c ++++ b/drivers/char/ipmi/ipmi_bt_sm.c +@@ -504,11 +504,12 @@ static enum si_sm_result bt_event(struct + if (status & BT_H_BUSY) /* clear a leftover H_BUSY */ + BT_CONTROL(BT_H_BUSY); + ++ bt->timeout = bt->BT_CAP_req2rsp; ++ + /* Read BT capabilities if it hasn't been done yet */ + if (!bt->BT_CAP_outreqs) + BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN, + SI_SM_CALL_WITHOUT_DELAY); +- bt->timeout = bt->BT_CAP_req2rsp; + BT_SI_SM_RETURN(SI_SM_IDLE); + + case BT_STATE_XACTION_START: diff --git a/queue-4.17/libnvdimm-pmem-do-not-flush-power-fail-protected-cpu-caches.patch b/queue-4.17/libnvdimm-pmem-do-not-flush-power-fail-protected-cpu-caches.patch new file mode 100644 index 00000000000..edbc00d0c18 --- /dev/null +++ b/queue-4.17/libnvdimm-pmem-do-not-flush-power-fail-protected-cpu-caches.patch @@ -0,0 +1,47 @@ +From 546eb0317cfa3c4f9e1d9ab892766d65d7f78fad Mon Sep 17 00:00:00 2001 +From: Ross Zwisler +Date: Wed, 6 Jun 2018 10:45:15 -0600 +Subject: libnvdimm, pmem: Do not flush power-fail protected CPU caches + +From: Ross Zwisler + +commit 546eb0317cfa3c4f9e1d9ab892766d65d7f78fad upstream. + +This commit: + +5fdf8e5ba566 ("libnvdimm: re-enable deep flush for pmem devices via fsync()") + +intended to make sure that deep flush was always available even on +platforms which support a power-fail protected CPU cache. An unintended +side effect of this change was that we also lost the ability to skip +flushing CPU caches on those power-fail protected CPU cache. + +Fix this by skipping the low level cache flushing in dax_flush() if we have +CPU caches which are power-fail protected. The user can still override this +behavior by manually setting the write_cache state of a namespace. See +libndctl's ndctl_namespace_write_cache_is_enabled(), +ndctl_namespace_enable_write_cache() and +ndctl_namespace_disable_write_cache() functions. + +Cc: +Fixes: 5fdf8e5ba566 ("libnvdimm: re-enable deep flush for pmem devices via fsync()") +Signed-off-by: Ross Zwisler +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/region_devs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvdimm/region_devs.c ++++ b/drivers/nvdimm/region_devs.c +@@ -1132,7 +1132,8 @@ EXPORT_SYMBOL_GPL(nvdimm_has_flush); + + int nvdimm_has_cache(struct nd_region *nd_region) + { +- return is_nd_pmem(&nd_region->dev); ++ return is_nd_pmem(&nd_region->dev) && ++ !test_bit(ND_REGION_PERSIST_CACHE, &nd_region->flags); + } + EXPORT_SYMBOL_GPL(nvdimm_has_cache); + diff --git a/queue-4.17/mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch b/queue-4.17/mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch new file mode 100644 index 00000000000..25c36889d50 --- /dev/null +++ b/queue-4.17/mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch @@ -0,0 +1,84 @@ +From 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 Mon Sep 17 00:00:00 2001 +From: Tokunori Ikegami +Date: Sun, 3 Jun 2018 23:02:01 +0900 +Subject: MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tokunori Ikegami + +commit 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 upstream. + +The erratum and workaround are described by BCM5300X-ES300-RDS.pdf as +below. + + R10: PCIe Transactions Periodically Fail + + Description: The BCM5300X PCIe does not maintain transaction ordering. + This may cause PCIe transaction failure. + Fix Comment: Add a dummy PCIe configuration read after a PCIe + configuration write to ensure PCIe configuration access + ordering. Set ES bit of CP0 configu7 register to enable + sync function so that the sync instruction is functional. + Resolution: hndpci.c: extpci_write_config() + hndmips.c: si_mips_init() + mipsinc.h CONF7_ES + +This is fixed by the CFE MIPS bcmsi chipset driver also for BCM47XX. +Also the dummy PCIe configuration read is already implemented in the +Linux BCMA driver. + +Enable ExternalSync in Config7 when CONFIG_BCMA_DRIVER_PCI_HOSTMODE=y +too so that the sync instruction is externalised. + +Signed-off-by: Tokunori Ikegami +Reviewed-by: Paul Burton +Acked-by: Hauke Mehrtens +Cc: Chris Packham +Cc: Rafał Miłecki +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19461/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/bcm47xx/setup.c | 6 ++++++ + arch/mips/include/asm/mipsregs.h | 3 +++ + 2 files changed, 9 insertions(+) + +--- a/arch/mips/bcm47xx/setup.c ++++ b/arch/mips/bcm47xx/setup.c +@@ -212,6 +212,12 @@ static int __init bcm47xx_cpu_fixes(void + */ + if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706) + cpu_wait = NULL; ++ ++ /* ++ * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail" ++ * Enable ExternalSync for sync instruction to take effect ++ */ ++ set_c0_config7(MIPS_CONF7_ES); + break; + #endif + } +--- a/arch/mips/include/asm/mipsregs.h ++++ b/arch/mips/include/asm/mipsregs.h +@@ -681,6 +681,8 @@ + #define MIPS_CONF7_WII (_ULCAST_(1) << 31) + + #define MIPS_CONF7_RPS (_ULCAST_(1) << 2) ++/* ExternalSync */ ++#define MIPS_CONF7_ES (_ULCAST_(1) << 8) + + #define MIPS_CONF7_IAR (_ULCAST_(1) << 10) + #define MIPS_CONF7_AR (_ULCAST_(1) << 16) +@@ -2760,6 +2762,7 @@ __BUILD_SET_C0(status) + __BUILD_SET_C0(cause) + __BUILD_SET_C0(config) + __BUILD_SET_C0(config5) ++__BUILD_SET_C0(config7) + __BUILD_SET_C0(intcontrol) + __BUILD_SET_C0(intctl) + __BUILD_SET_C0(srsmap) diff --git a/queue-4.17/mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch b/queue-4.17/mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch new file mode 100644 index 00000000000..582b0ba6412 --- /dev/null +++ b/queue-4.17/mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch @@ -0,0 +1,33 @@ +From f1ce87f6080b1dda7e7b1eda3da332add19d87b9 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 6 Jun 2018 12:13:30 +0200 +Subject: mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking. + +From: Joakim Tjernlund + +commit f1ce87f6080b1dda7e7b1eda3da332add19d87b9 upstream. + +cfi_ppb_unlock() walks all flash chips when unlocking sectors, +avoid walking chips unaffected by the unlock operation. + +Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking") +Cc: stable@vger.kernel.org +Signed-off-by: Joakim Tjernlund +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2675,6 +2675,8 @@ static int __maybe_unused cfi_ppb_unlock + i++; + + if (adr >> cfi->chipshift) { ++ if (offset >= (ofs + len)) ++ break; + adr = 0; + chipnum++; + diff --git a/queue-4.17/mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch b/queue-4.17/mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch new file mode 100644 index 00000000000..c935b2aa220 --- /dev/null +++ b/queue-4.17/mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch @@ -0,0 +1,91 @@ +From 45f75b8a919a4255f52df454f1ffdee0e42443b2 Mon Sep 17 00:00:00 2001 +From: Tokunori Ikegami +Date: Wed, 30 May 2018 18:32:28 +0900 +Subject: mtd: cfi_cmdset_0002: Change erase functions to retry for error + +From: Tokunori Ikegami + +commit 45f75b8a919a4255f52df454f1ffdee0e42443b2 upstream. + +For the word write functions it is retried for error. +But it is not implemented to retry for the erase functions. +To make sure for the erase functions change to retry as same. + +This is needed to prevent the flash erase error caused only once. +It was caused by the error case of chip_good() in the do_erase_oneblock(). +Also it was confirmed on the MACRONIX flash device MX29GL512FHT2I-11G. +But the error issue behavior is not able to reproduce at this moment. +The flash controller is parallel Flash interface integrated on BCM53003. + +Signed-off-by: Tokunori Ikegami +Reviewed-by: Joakim Tjernlund +Cc: Chris Packham +Cc: Brian Norris +Cc: David Woodhouse +Cc: Boris Brezillon +Cc: Marek Vasut +Cc: Richard Weinberger +Cc: Cyrille Pitchen +Cc: linux-mtd@lists.infradead.org +Cc: stable@vger.kernel.org +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2241,6 +2241,7 @@ static int __xipram do_erase_chip(struct + unsigned long int adr; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr = cfi->addr_unlock1; + +@@ -2258,6 +2259,7 @@ static int __xipram do_erase_chip(struct + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2312,6 +2314,9 @@ static int __xipram do_erase_chip(struct + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + ++ if (++retry_cnt <= MAX_RETRIES) ++ goto retry; ++ + ret = -EIO; + } + +@@ -2331,6 +2336,7 @@ static int __xipram do_erase_oneblock(st + unsigned long timeo = jiffies + HZ; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr += chip->start; + +@@ -2348,6 +2354,7 @@ static int __xipram do_erase_oneblock(st + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2405,6 +2412,9 @@ static int __xipram do_erase_oneblock(st + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + ++ if (++retry_cnt <= MAX_RETRIES) ++ goto retry; ++ + ret = -EIO; + } + diff --git a/queue-4.17/mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch b/queue-4.17/mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch new file mode 100644 index 00000000000..859ed6f8eee --- /dev/null +++ b/queue-4.17/mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch @@ -0,0 +1,45 @@ +From dfeae1073583dc35c33b32150e18b7048bbb37e6 Mon Sep 17 00:00:00 2001 +From: Tokunori Ikegami +Date: Wed, 30 May 2018 18:32:26 +0900 +Subject: mtd: cfi_cmdset_0002: Change write buffer to check correct value + +From: Tokunori Ikegami + +commit dfeae1073583dc35c33b32150e18b7048bbb37e6 upstream. + +For the word write it is checked if the chip has the correct value. +But it is not checked for the write buffer as only checked if ready. +To make sure for the write buffer change to check the value. + +It is enough as this patch is only checking the last written word. +Since it is described by data sheets to check the operation status. + +Signed-off-by: Tokunori Ikegami +Reviewed-by: Joakim Tjernlund +Cc: Chris Packham +Cc: Brian Norris +Cc: David Woodhouse +Cc: Boris Brezillon +Cc: Marek Vasut +Cc: Richard Weinberger +Cc: Cyrille Pitchen +Cc: linux-mtd@lists.infradead.org +Cc: stable@vger.kernel.org +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -1880,7 +1880,7 @@ static int __xipram do_write_buffer(stru + if (time_after(jiffies, timeo) && !chip_ready(map, adr)) + break; + +- if (chip_ready(map, adr)) { ++ if (chip_good(map, adr, datum)) { + xip_enable(map, chip, adr); + goto op_done; + } diff --git a/queue-4.17/mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch b/queue-4.17/mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch new file mode 100644 index 00000000000..b97568eca75 --- /dev/null +++ b/queue-4.17/mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch @@ -0,0 +1,54 @@ +From 5fdfc3dbad099281bf027a353d5786c09408a8e5 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 6 Jun 2018 12:13:28 +0200 +Subject: mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips + +From: Joakim Tjernlund + +commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream. + +cfi_ppb_unlock() tries to relock all sectors that were locked before +unlocking the whole chip. +This locking used the chip start address + the FULL offset from the +first flash chip, thereby forming an illegal address. Fix that by using +the chip offset(adr). + +Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking") +Cc: stable@vger.kernel.org +Signed-off-by: Joakim Tjernlund +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2525,7 +2525,7 @@ static int cfi_atmel_unlock(struct mtd_i + + struct ppb_lock { + struct flchip *chip; +- loff_t offset; ++ unsigned long adr; + int locked; + }; + +@@ -2661,7 +2661,7 @@ static int __maybe_unused cfi_ppb_unlock + */ + if ((adr < ofs) || (adr >= (ofs + len))) { + sect[sectors].chip = &cfi->chips[chipnum]; +- sect[sectors].offset = offset; ++ sect[sectors].adr = adr; + sect[sectors].locked = do_ppb_xxlock( + map, &cfi->chips[chipnum], adr, 0, + DO_XXLOCK_ONEBLOCK_GETLOCK); +@@ -2705,7 +2705,7 @@ static int __maybe_unused cfi_ppb_unlock + */ + for (i = 0; i < sectors; i++) { + if (sect[i].locked) +- do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0, ++ do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0, + DO_XXLOCK_ONEBLOCK_LOCK); + } + diff --git a/queue-4.17/mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch b/queue-4.17/mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch new file mode 100644 index 00000000000..34cffe1d1a3 --- /dev/null +++ b/queue-4.17/mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch @@ -0,0 +1,36 @@ +From 0cd8116f172eed018907303dbff5c112690eeb91 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 6 Jun 2018 12:13:29 +0200 +Subject: mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary + +From: Joakim Tjernlund + +commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream. + +The "sector is in requested range" test used to determine whether +sectors should be re-locked or not is done on a variable that is reset +everytime we cross a chip boundary, which can lead to some blocks being +re-locked while the caller expect them to be unlocked. +Fix the check to make sure this cannot happen. + +Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking") +Cc: stable@vger.kernel.org +Signed-off-by: Joakim Tjernlund +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2659,7 +2659,7 @@ static int __maybe_unused cfi_ppb_unlock + * sectors shall be unlocked, so lets keep their locking + * status at "unlocked" (locked=0) for the final re-locking. + */ +- if ((adr < ofs) || (adr >= (ofs + len))) { ++ if ((offset < ofs) || (offset >= (ofs + len))) { + sect[sectors].chip = &cfi->chips[chipnum]; + sect[sectors].adr = adr; + sect[sectors].locked = do_ppb_xxlock( diff --git a/queue-4.17/mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch b/queue-4.17/mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch new file mode 100644 index 00000000000..7a0a9778ccf --- /dev/null +++ b/queue-4.17/mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch @@ -0,0 +1,57 @@ +From f93aa8c4de307069c270b2d81741961162bead6c Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 6 Jun 2018 12:13:27 +0200 +Subject: mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() + +From: Joakim Tjernlund + +commit f93aa8c4de307069c270b2d81741961162bead6c upstream. + +do_ppb_xxlock() fails to add chip->start when querying for lock status +(and chip_ready test), which caused false status reports. +Fix that by adding adr += chip->start and adjust call sites +accordingly. + +Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking") +Cc: stable@vger.kernel.org +Signed-off-by: Joakim Tjernlund +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2543,8 +2543,9 @@ static int __maybe_unused do_ppb_xxlock( + unsigned long timeo; + int ret; + ++ adr += chip->start; + mutex_lock(&chip->mutex); +- ret = get_chip(map, chip, adr + chip->start, FL_LOCKING); ++ ret = get_chip(map, chip, adr, FL_LOCKING); + if (ret) { + mutex_unlock(&chip->mutex); + return ret; +@@ -2562,8 +2563,8 @@ static int __maybe_unused do_ppb_xxlock( + + if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) { + chip->state = FL_LOCKING; +- map_write(map, CMD(0xA0), chip->start + adr); +- map_write(map, CMD(0x00), chip->start + adr); ++ map_write(map, CMD(0xA0), adr); ++ map_write(map, CMD(0x00), adr); + } else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) { + /* + * Unlocking of one specific sector is not supported, so we +@@ -2601,7 +2602,7 @@ static int __maybe_unused do_ppb_xxlock( + map_write(map, CMD(0x00), chip->start); + + chip->state = FL_READY; +- put_chip(map, chip, adr + chip->start); ++ put_chip(map, chip, adr); + mutex_unlock(&chip->mutex); + + return ret; diff --git a/queue-4.17/mtd-rawnand-all-ac-chips-have-a-broken-get_features-timings.patch b/queue-4.17/mtd-rawnand-all-ac-chips-have-a-broken-get_features-timings.patch new file mode 100644 index 00000000000..64922559827 --- /dev/null +++ b/queue-4.17/mtd-rawnand-all-ac-chips-have-a-broken-get_features-timings.patch @@ -0,0 +1,85 @@ +From fe3dd97dd66bb7fb23b8077a3803d2f951e60b00 Mon Sep 17 00:00:00 2001 +From: Mason Yang +Date: Wed, 20 Jun 2018 11:46:30 +0200 +Subject: mtd: rawnand: All AC chips have a broken GET_FEATURES(TIMINGS). + +From: Mason Yang + +commit fe3dd97dd66bb7fb23b8077a3803d2f951e60b00 upstream. + +Make sure we flag all broken chips as not supporting this feature. +Also move this logic to a new function to keep things readable. + +Fixes: 34c5c01e0c8c ("mtd: rawnand: macronix: nack the support of changing timings for one chip") +Cc: +Signed-off-by: Mason Yang +Signed-off-by: Boris Brezillon +Reviewed-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/nand_macronix.c | 48 ++++++++++++++++++++++++++--------- + 1 file changed, 36 insertions(+), 12 deletions(-) + +--- a/drivers/mtd/nand/raw/nand_macronix.c ++++ b/drivers/mtd/nand/raw/nand_macronix.c +@@ -17,23 +17,47 @@ + + #include + ++/* ++ * Macronix AC series does not support using SET/GET_FEATURES to change ++ * the timings unlike what is declared in the parameter page. Unflag ++ * this feature to avoid unnecessary downturns. ++ */ ++static void macronix_nand_fix_broken_get_timings(struct nand_chip *chip) ++{ ++ unsigned int i; ++ static const char * const broken_get_timings[] = { ++ "MX30LF1G18AC", ++ "MX30LF1G28AC", ++ "MX30LF2G18AC", ++ "MX30LF2G28AC", ++ "MX30LF4G18AC", ++ "MX30LF4G28AC", ++ "MX60LF8G18AC", ++ }; ++ ++ if (!chip->parameters.supports_set_get_features) ++ return; ++ ++ for (i = 0; i < ARRAY_SIZE(broken_get_timings); i++) { ++ if (!strcmp(broken_get_timings[i], chip->parameters.model)) ++ break; ++ } ++ ++ if (i == ARRAY_SIZE(broken_get_timings)) ++ return; ++ ++ bitmap_clear(chip->parameters.get_feature_list, ++ ONFI_FEATURE_ADDR_TIMING_MODE, 1); ++ bitmap_clear(chip->parameters.set_feature_list, ++ ONFI_FEATURE_ADDR_TIMING_MODE, 1); ++} ++ + static int macronix_nand_init(struct nand_chip *chip) + { + if (nand_is_slc(chip)) + chip->bbt_options |= NAND_BBT_SCAN2NDPAGE; + +- /* +- * MX30LF2G18AC chip does not support using SET/GET_FEATURES to change +- * the timings unlike what is declared in the parameter page. Unflag +- * this feature to avoid unnecessary downturns. +- */ +- if (chip->parameters.supports_set_get_features && +- !strcmp("MX30LF2G18AC", chip->parameters.model)) { +- bitmap_clear(chip->parameters.get_feature_list, +- ONFI_FEATURE_ADDR_TIMING_MODE, 1); +- bitmap_clear(chip->parameters.set_feature_list, +- ONFI_FEATURE_ADDR_TIMING_MODE, 1); +- } ++ macronix_nand_fix_broken_get_timings(chip); + + return 0; + } diff --git a/queue-4.17/mtd-rawnand-denali_dt-set-clk_x_rate-to-200-mhz-unconditionally.patch b/queue-4.17/mtd-rawnand-denali_dt-set-clk_x_rate-to-200-mhz-unconditionally.patch new file mode 100644 index 00000000000..3800ce5d601 --- /dev/null +++ b/queue-4.17/mtd-rawnand-denali_dt-set-clk_x_rate-to-200-mhz-unconditionally.patch @@ -0,0 +1,49 @@ +From 3f6e6986045d47f87bd982910821b7ab9758487e Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sat, 23 Jun 2018 01:06:34 +0900 +Subject: mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally + +From: Masahiro Yamada + +commit 3f6e6986045d47f87bd982910821b7ab9758487e upstream. + +Since commit 1bb88666775e ("mtd: nand: denali: handle timing parameters +by setup_data_interface()"), denali_dt.c gets the clock rate from the +clock driver. The driver expects the frequency of the bus interface +clock, whereas the clock driver of SOCFPGA provides the core clock. +Thus, the setup_data_interface() hook calculates timing parameters +based on a wrong frequency. + +To make it work without relying on the clock driver, hard-code the clock +frequency, 200MHz. This is fine for existing DT of UniPhier, and also +fixes the issue of SOCFPGA because both platforms use 200 MHz for the +bus interface clock. + +Fixes: 1bb88666775e ("mtd: nand: denali: handle timing parameters by setup_data_interface()") +Cc: linux-stable #4.14+ +Reported-by: Philipp Rosenberger +Suggested-by: Boris Brezillon +Signed-off-by: Masahiro Yamada +Tested-by: Richard Weinberger +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/denali_dt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/denali_dt.c ++++ b/drivers/mtd/nand/raw/denali_dt.c +@@ -123,7 +123,11 @@ static int denali_dt_probe(struct platfo + if (ret) + return ret; + +- denali->clk_x_rate = clk_get_rate(dt->clk); ++ /* ++ * Hardcode the clock rate for the backward compatibility. ++ * This works for both SOCFPGA and UniPhier. ++ */ ++ denali->clk_x_rate = 200000000; + + ret = denali_init(denali); + if (ret) diff --git a/queue-4.17/mtd-rawnand-do-not-check-fail-bit-when-executing-a-set_features-op.patch b/queue-4.17/mtd-rawnand-do-not-check-fail-bit-when-executing-a-set_features-op.patch new file mode 100644 index 00000000000..d2aaedc9d0b --- /dev/null +++ b/queue-4.17/mtd-rawnand-do-not-check-fail-bit-when-executing-a-set_features-op.patch @@ -0,0 +1,84 @@ +From 782d1967d0479ffd59412b2f3179c8bb35f50ff6 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 11 May 2018 14:44:07 +0200 +Subject: mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op + +From: Boris Brezillon + +commit 782d1967d0479ffd59412b2f3179c8bb35f50ff6 upstream. + +The ONFI spec clearly says that FAIL bit is only valid for PROGRAM, +ERASE and READ-with-on-die-ECC operations, and should be ignored +otherwise. + +It seems that checking it after sending a SET_FEATURES is a bad idea +because a previous READ, PROGRAM or ERASE op may have failed, and +depending on the implementation, the FAIL bit is not cleared until a +new READ, PROGRAM or ERASE is started. + +This leads to ->set_features() returning -EIO while it actually worked, +which can sometimes stop a batch of READ/PROGRAM ops. + +Note that we only fix the ->exec_op() path here, because some drivers +are abusing the NAND_STATUS_FAIL flag in their ->waitfunc() +implementation to propagate other kind of errors, like +wait-ready-timeout or controller-related errors. Let's not try to fix +those drivers since they worked fine so far. + +Fixes: 8878b126df76 ("mtd: nand: add ->exec_op() implementation") +Cc: stable@vger.kernel.org +Signed-off-by: Boris Brezillon +Acked-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/nand_base.c | 29 ++++++++++------------------- + 1 file changed, 10 insertions(+), 19 deletions(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -2174,7 +2174,6 @@ static int nand_set_features_op(struct n + struct mtd_info *mtd = nand_to_mtd(chip); + const u8 *params = data; + int i, ret; +- u8 status; + + if (chip->exec_op) { + const struct nand_sdr_timings *sdr = +@@ -2188,26 +2187,18 @@ static int nand_set_features_op(struct n + }; + struct nand_operation op = NAND_OPERATION(instrs); + +- ret = nand_exec_op(chip, &op); +- if (ret) +- return ret; +- +- ret = nand_status_op(chip, &status); +- if (ret) +- return ret; +- } else { +- chip->cmdfunc(mtd, NAND_CMD_SET_FEATURES, feature, -1); +- for (i = 0; i < ONFI_SUBFEATURE_PARAM_LEN; ++i) +- chip->write_byte(mtd, params[i]); +- +- ret = chip->waitfunc(mtd, chip); +- if (ret < 0) +- return ret; +- +- status = ret; ++ return nand_exec_op(chip, &op); + } + +- if (status & NAND_STATUS_FAIL) ++ chip->cmdfunc(mtd, NAND_CMD_SET_FEATURES, feature, -1); ++ for (i = 0; i < ONFI_SUBFEATURE_PARAM_LEN; ++i) ++ chip->write_byte(mtd, params[i]); ++ ++ ret = chip->waitfunc(mtd, chip); ++ if (ret < 0) ++ return ret; ++ ++ if (ret & NAND_STATUS_FAIL) + return -EIO; + + return 0; diff --git a/queue-4.17/mtd-rawnand-fix-return-value-check-for-bad-block-status.patch b/queue-4.17/mtd-rawnand-fix-return-value-check-for-bad-block-status.patch new file mode 100644 index 00000000000..113cc69475c --- /dev/null +++ b/queue-4.17/mtd-rawnand-fix-return-value-check-for-bad-block-status.patch @@ -0,0 +1,37 @@ +From e9893e6fa932f42c90c4ac5849fa9aa0f0f00a34 Mon Sep 17 00:00:00 2001 +From: Abhishek Sahu +Date: Wed, 13 Jun 2018 14:32:36 +0530 +Subject: mtd: rawnand: fix return value check for bad block status + +From: Abhishek Sahu + +commit e9893e6fa932f42c90c4ac5849fa9aa0f0f00a34 upstream. + +Positive return value from read_oob() is making false BAD +blocks. For some of the NAND controllers, OOB bytes will be +protected with ECC and read_oob() will return number of bitflips. +If there is any bitflip in ECC protected OOB bytes for BAD block +status page, then that block is getting treated as BAD. + +Fixes: c120e75e0e7d ("mtd: nand: use read_oob() instead of cmdfunc() for bad block check") +Cc: +Signed-off-by: Abhishek Sahu +Reviewed-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/nand_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -440,7 +440,7 @@ static int nand_block_bad(struct mtd_inf + + for (; page < page_end; page++) { + res = chip->ecc.read_oob(mtd, chip, page); +- if (res) ++ if (res < 0) + return res; + + bad = chip->oob_poi[chip->badblockpos]; diff --git a/queue-4.17/mtd-rawnand-micron-add-onfi_feature_on_die_ecc-to-supported-features.patch b/queue-4.17/mtd-rawnand-micron-add-onfi_feature_on_die_ecc-to-supported-features.patch new file mode 100644 index 00000000000..defe21379d4 --- /dev/null +++ b/queue-4.17/mtd-rawnand-micron-add-onfi_feature_on_die_ecc-to-supported-features.patch @@ -0,0 +1,35 @@ +From 12baf7721143c83150fa973484b7b5fcd86b23f0 Mon Sep 17 00:00:00 2001 +From: Chris Packham +Date: Tue, 19 Jun 2018 17:31:24 +1200 +Subject: mtd: rawnand: micron: add ONFI_FEATURE_ON_DIE_ECC to supported features + +From: Chris Packham + +commit 12baf7721143c83150fa973484b7b5fcd86b23f0 upstream. + +Add ONFI_FEATURE_ON_DIE_ECC to the set/get features list for Micron +NAND flash. + +Fixes: 789157e41a06 ("mtd: rawnand: allow vendors to declare (un)supported features") +Cc: +Signed-off-by: Chris Packham +Reviewed-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/nand_micron.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/raw/nand_micron.c ++++ b/drivers/mtd/nand/raw/nand_micron.c +@@ -66,7 +66,9 @@ static int micron_nand_onfi_init(struct + + if (p->supports_set_get_features) { + set_bit(ONFI_FEATURE_ADDR_READ_RETRY, p->set_feature_list); ++ set_bit(ONFI_FEATURE_ON_DIE_ECC, p->set_feature_list); + set_bit(ONFI_FEATURE_ADDR_READ_RETRY, p->get_feature_list); ++ set_bit(ONFI_FEATURE_ON_DIE_ECC, p->get_feature_list); + } + + return 0; diff --git a/queue-4.17/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch b/queue-4.17/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch new file mode 100644 index 00000000000..1060a9fca28 --- /dev/null +++ b/queue-4.17/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch @@ -0,0 +1,64 @@ +From 3f77f244d8ec28e3a0a81240ffac7d626390060c Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Mon, 18 Jun 2018 22:41:03 +0200 +Subject: mtd: rawnand: mxc: set spare area size register explicitly + +From: Martin Kaiser + +commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream. + +The v21 version of the NAND flash controller contains a Spare Area Size +Register (SPAS) at offset 0x10. Its setting defaults to the maximum +spare area size of 218 bytes. The size that is set in this register is +used by the controller when it calculates the ECC bytes internally in +hardware. + +Usually, this register is updated from settings in the IIM fuses when +the system is booting from NAND flash. For other boot media, however, +the SPAS register remains at the default setting, which may not work for +the particular flash chip on the board. The same goes for flash chips +whose configuration cannot be set in the IIM fuses (e.g. chips with 2k +sector size and 128 bytes spare area size can't be configured in the IIM +fuses on imx25 systems). + +Set the SPAS register explicitly during the preset operation. Derive the +register value from mtd->oobsize that was detected during probe by +decoding the flash chip's ID bytes. + +While at it, rename the define for the spare area register's offset to +NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is +different from the register on v21 controllers. + +Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Kaiser +Reviewed-by: Sascha Hauer +Reviewed-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/mxc_nand.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/mxc_nand.c ++++ b/drivers/mtd/nand/raw/mxc_nand.c +@@ -48,7 +48,7 @@ + #define NFC_V1_V2_CONFIG (host->regs + 0x0a) + #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c) + #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e) +-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10) ++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10) + #define NFC_V1_V2_WRPROT (host->regs + 0x12) + #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14) + #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16) +@@ -1274,6 +1274,9 @@ static void preset_v2(struct mtd_info *m + writew(config1, NFC_V1_V2_CONFIG1); + /* preset operation */ + ++ /* spare area size in 16-bit half-words */ ++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA); ++ + /* Unlock the internal RAM Buffer */ + writew(0x2, NFC_V1_V2_CONFIG); + diff --git a/queue-4.17/of-overlay-validate-offset-from-property-fixups.patch b/queue-4.17/of-overlay-validate-offset-from-property-fixups.patch new file mode 100644 index 00000000000..a40a269ed38 --- /dev/null +++ b/queue-4.17/of-overlay-validate-offset-from-property-fixups.patch @@ -0,0 +1,41 @@ +From 482137bf2aecd887ebfa8756456764a2f6a0e545 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Wed, 16 May 2018 21:19:51 -0700 +Subject: of: overlay: validate offset from property fixups + +From: Frank Rowand + +commit 482137bf2aecd887ebfa8756456764a2f6a0e545 upstream. + +The smatch static checker marks the data in offset as untrusted, +leading it to warn: + + drivers/of/resolver.c:125 update_usages_of_a_phandle_reference() + error: buffer underflow 'prop->value' 's32min-s32max' + +Add check to verify that offset is within the property data. + +Reported-by: Dan Carpenter +Signed-off-by: Frank Rowand +Cc: +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/resolver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/of/resolver.c ++++ b/drivers/of/resolver.c +@@ -122,6 +122,11 @@ static int update_usages_of_a_phandle_re + goto err_fail; + } + ++ if (offset < 0 || offset + sizeof(__be32) > prop->length) { ++ err = -EINVAL; ++ goto err_fail; ++ } ++ + *(__be32 *)(prop->value + offset) = cpu_to_be32(phandle); + } + diff --git a/queue-4.17/of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch b/queue-4.17/of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch new file mode 100644 index 00000000000..5362b144cb2 --- /dev/null +++ b/queue-4.17/of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch @@ -0,0 +1,120 @@ +From 522811e944ed9b36806faa019faec10f9d259cca Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Mon, 4 Jun 2018 15:14:08 +0100 +Subject: of: platform: stop accessing invalid dev in of_platform_device_destroy + +From: Srinivas Kandagatla + +commit 522811e944ed9b36806faa019faec10f9d259cca upstream. + +Immediately after the platform_device_unregister() the device will be +cleaned up. Accessing the freed pointer immediately after that will +crash the system. + +Found this bug when kernel is built with CONFIG_PAGE_POISONING and testing +loading/unloading audio drivers in a loop on Qcom platforms. + +Fix this by moving of_node_clear_flag() just before the unregister calls. + +Below is the crash trace: + +Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c03 +Mem abort info: + ESR = 0x96000021 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 +Data abort info: + ISV = 0, ISS = 0x00000021 + CM = 0, WnR = 0 +[006b6b6b6b6b6c03] address between user and kernel address ranges +Internal error: Oops: 96000021 [#1] PREEMPT SMP +Modules linked in: +CPU: 2 PID: 1784 Comm: sh Tainted: G W 4.17.0-rc7-02230-ge3a63a7ef641-dirty #204 +Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) +pstate: 80000005 (Nzcv daif -PAN -UAO) +pc : clear_bit+0x18/0x2c +lr : of_platform_device_destroy+0x64/0xb8 +sp : ffff00000c9c3930 +x29: ffff00000c9c3930 x28: ffff80003d39b200 +x27: ffff000008bb1000 x26: 0000000000000040 +x25: 0000000000000124 x24: ffff80003a9a3080 +x23: 0000000000000060 x22: ffff00000939f518 +x21: ffff80003aa79e98 x20: ffff80003aa3dae0 +x19: ffff80003aa3c890 x18: ffff800009feb794 +x17: 0000000000000000 x16: 0000000000000000 +x15: ffff800009feb790 x14: 0000000000000000 +x13: ffff80003a058778 x12: ffff80003a058728 +x11: ffff80003a058750 x10: 0000000000000000 +x9 : 0000000000000006 x8 : ffff80003a825988 +x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000001 +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : 0000000000000008 x2 : 0000000000000001 +x1 : 6b6b6b6b6b6b6c03 x0 : 0000000000000000 +Process sh (pid: 1784, stack limit = 0x (ptrval)) +Call trace: + clear_bit+0x18/0x2c + q6afe_remove+0x20/0x38 + apr_device_remove+0x30/0x70 + device_release_driver_internal+0x170/0x208 + device_release_driver+0x14/0x20 + bus_remove_device+0xcc/0x150 + device_del+0x10c/0x310 + device_unregister+0x1c/0x70 + apr_remove_device+0xc/0x18 + device_for_each_child+0x50/0x80 + apr_remove+0x18/0x20 + rpmsg_dev_remove+0x38/0x68 + device_release_driver_internal+0x170/0x208 + device_release_driver+0x14/0x20 + bus_remove_device+0xcc/0x150 + device_del+0x10c/0x310 + device_unregister+0x1c/0x70 + qcom_smd_remove_device+0xc/0x18 + device_for_each_child+0x50/0x80 + qcom_smd_unregister_edge+0x3c/0x70 + smd_subdev_remove+0x18/0x28 + rproc_stop+0x48/0xd8 + rproc_shutdown+0x60/0xe8 + state_store+0xbc/0xf8 + dev_attr_store+0x18/0x28 + sysfs_kf_write+0x3c/0x50 + kernfs_fop_write+0x118/0x1e0 + __vfs_write+0x18/0x110 + vfs_write+0xa4/0x1a8 + ksys_write+0x48/0xb0 + sys_write+0xc/0x18 + el0_svc_naked+0x30/0x34 +Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22) +---[ end trace 32020935775616a2 ]--- + +Signed-off-by: Srinivas Kandagatla +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/platform.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/of/platform.c ++++ b/drivers/of/platform.c +@@ -537,6 +537,9 @@ int of_platform_device_destroy(struct de + if (of_node_check_flag(dev->of_node, OF_POPULATED_BUS)) + device_for_each_child(dev, NULL, of_platform_device_destroy); + ++ of_node_clear_flag(dev->of_node, OF_POPULATED); ++ of_node_clear_flag(dev->of_node, OF_POPULATED_BUS); ++ + if (dev->bus == &platform_bus_type) + platform_device_unregister(to_platform_device(dev)); + #ifdef CONFIG_ARM_AMBA +@@ -544,8 +547,6 @@ int of_platform_device_destroy(struct de + amba_device_unregister(to_amba_device(dev)); + #endif + +- of_node_clear_flag(dev->of_node, OF_POPULATED); +- of_node_clear_flag(dev->of_node, OF_POPULATED_BUS); + return 0; + } + EXPORT_SYMBOL_GPL(of_platform_device_destroy); diff --git a/queue-4.17/of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch b/queue-4.17/of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch new file mode 100644 index 00000000000..35f0b21db42 --- /dev/null +++ b/queue-4.17/of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch @@ -0,0 +1,63 @@ +From 3b9cf7905fe3ab35ab437b5072c883e609d3498d Mon Sep 17 00:00:00 2001 +From: Stefan M Schaeckeler +Date: Mon, 21 May 2018 16:26:14 -0700 +Subject: of: unittest: for strings, account for trailing \0 in property length field + +From: Stefan M Schaeckeler + +commit 3b9cf7905fe3ab35ab437b5072c883e609d3498d upstream. + +For strings, account for trailing \0 in property length field: + +This is consistent with how dtc builds string properties. + +Function __of_prop_dup() would misbehave on such properties as it duplicates +properties based on the property length field creating new string values +without trailing \0s. + +Signed-off-by: Stefan M Schaeckeler +Reviewed-by: Frank Rowand +Tested-by: Frank Rowand +Cc: +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/unittest.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -165,20 +165,20 @@ static void __init of_unittest_dynamic(v + /* Add a new property - should pass*/ + prop->name = "new-property"; + prop->value = "new-property-data"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n"); + + /* Try to add an existing property - should fail */ + prop++; + prop->name = "new-property"; + prop->value = "new-property-data-should-fail"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_add_property(np, prop) != 0, + "Adding an existing property should have failed\n"); + + /* Try to modify an existing property - should pass */ + prop->value = "modify-property-data-should-pass"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_update_property(np, prop) == 0, + "Updating an existing property should have passed\n"); + +@@ -186,7 +186,7 @@ static void __init of_unittest_dynamic(v + prop++; + prop->name = "modify-property"; + prop->value = "modify-missing-property-data-should-pass"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_update_property(np, prop) == 0, + "Updating a missing property should have passed\n"); + diff --git a/queue-4.17/pci-account-for-all-bridges-on-bus-when-distributing-bus-numbers.patch b/queue-4.17/pci-account-for-all-bridges-on-bus-when-distributing-bus-numbers.patch new file mode 100644 index 00000000000..753c15f417f --- /dev/null +++ b/queue-4.17/pci-account-for-all-bridges-on-bus-when-distributing-bus-numbers.patch @@ -0,0 +1,110 @@ +From 3374c545c27c5350b954d1ab03c880d5502e5eba Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Mon, 28 May 2018 15:47:50 +0300 +Subject: PCI: Account for all bridges on bus when distributing bus numbers + +From: Mika Westerberg + +commit 3374c545c27c5350b954d1ab03c880d5502e5eba upstream. + +When distributing extra bus number space to hotplug bridges for future +extension, we don't account for the fact that there might be non-hotplug +bridges on the bus after the hotplug bridges. For example: + + 01:00.0 --+- 02:00.0 (HotPlug-) -- Thunderbolt host controller + +- 02:01.0 (HotPlug+) + \- 02:02.0 (HotPlug-) -- xHCI host controller + +pci_scan_child_bus_extend() is supposed to distribute the remaining bus +numbers to the hotplug bridge at 02:01.0, but only after accounting for all +bridges on bus 02. Since we don't check whether there's another +non-hotplug bridge after the hotplug bridge 02:01.0, it may not leave space +for the non-hotplug bridge: + + pci 0000:00:1b.0: PCI bridge to [bus 01-39] (Root Port) + pci 0000:01:00.0: PCI bridge to [bus 02-39] + ... + pci 0000:02:00.0: PCI bridge to [bus 03] + pci 0000:02:01.0: PCI bridge to [bus 04] + pci_bus 0000:04: [bus 04-39] extended by 0x35 + pci_bus 0000:04: bus scan returning with max=39 + pci_bus 0000:04: busn_res: [bus 04-39] end is updated to 39 + pci 0000:02:02.0: scanning [bus 00-00] behind bridge, pass 1 + pci_bus 0000:3a: scanning bus + pci_bus 0000:3a: bus scan returning with max=3a + pci_bus 0000:3a: busn_res: [bus 3a] end is updated to 3a + pci_bus 0000:3a: [bus 3a] partially hidden behind bridge 0000:02 [bus 02-39] + pci_bus 0000:3a: [bus 3a] partially hidden behind bridge 0000:01 [bus 01-39] + pci_bus 0000:02: bus scan returning with max=3a + pci_bus 0000:02: busn_res: [bus 02-39] end can not be updated to 3a + +The resulting 'lspci -t' output looks like this: + + +-1b.0-[01-39]----00.0-[02-3a]--+-00.0-[03]----00.0 + ^^ +-01.0-[04-39]-- + \-02.0-[3a]----00.0 + ^^ +The xHCI host controller behind 02:02.0 is not usable because it would have +to be assigned bus 3a, which is not accessible through 00:1b.0. + +To fix this, reserve at least one bus for each bridge while scanning +already configured bridges. Then use this information in the second +scan to correct the available extra bus space for hotplug bridges. + +After this change the 'lspci -t' output is what is expected: + + +-1b.0-[01-39]----00.0-[02-39]--+-00.0-[03]----00.0 + +-01.0-[04-38]-- + \-02.0-[39]----00.0 + +The xHCI controller is now on bus 39, where it is usable. + +Fixes: 1c02ea810065 ("PCI: Distribute available buses to hotplug-capable bridges") +Reported-by: Mario Limonciello +Signed-off-by: Mika Westerberg +[bhelgaas: changelog] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/probe.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -2638,7 +2638,14 @@ static unsigned int pci_scan_child_bus_e + for_each_pci_bridge(dev, bus) { + cmax = max; + max = pci_scan_bridge_extend(bus, dev, max, 0, 0); +- used_buses += cmax - max; ++ ++ /* ++ * Reserve one bus for each bridge now to avoid extending ++ * hotplug bridges too much during the second scan below. ++ */ ++ used_buses++; ++ if (cmax - max > 1) ++ used_buses += cmax - max - 1; + } + + /* Scan bridges that need to be reconfigured */ +@@ -2661,12 +2668,14 @@ static unsigned int pci_scan_child_bus_e + * bridges if any. + */ + buses = available_buses / hotplug_bridges; +- buses = min(buses, available_buses - used_buses); ++ buses = min(buses, available_buses - used_buses + 1); + } + + cmax = max; + max = pci_scan_bridge_extend(bus, dev, cmax, buses, 1); +- used_buses += max - cmax; ++ /* One bus is already accounted so don't add it again */ ++ if (max - cmax > 1) ++ used_buses += max - cmax - 1; + } + + /* diff --git a/queue-4.17/pci-add-acs-quirk-for-intel-300-series.patch b/queue-4.17/pci-add-acs-quirk-for-intel-300-series.patch new file mode 100644 index 00000000000..1a72b7cfd6a --- /dev/null +++ b/queue-4.17/pci-add-acs-quirk-for-intel-300-series.patch @@ -0,0 +1,43 @@ +From f154a718e6cc0d834f5ac4dc4c3b174e65f3659e Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Fri, 27 Apr 2018 13:06:30 -0500 +Subject: PCI: Add ACS quirk for Intel 300 series + +From: Mika Westerberg + +commit f154a718e6cc0d834f5ac4dc4c3b174e65f3659e upstream. + +Intel 300 series chipset still has the same ACS issue as the previous +generations so extend the ACS quirk to cover it as well. + +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +CC: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4241,6 +4241,11 @@ static int pci_quirk_qcom_rp_acs(struct + * + * 0x9d10-0x9d1b PCI Express Root port #{1-12} + * ++ * The 300 series chipset suffers from the same bug so include those root ++ * ports here as well. ++ * ++ * 0xa32c-0xa343 PCI Express Root port #{0-24} ++ * + * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html + * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html + * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html +@@ -4258,6 +4263,7 @@ static bool pci_quirk_intel_spt_pch_acs_ + case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */ + case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */ + case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */ ++ case 0xa32c ... 0xa343: /* 300 series */ + return true; + } + diff --git a/queue-4.17/pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch b/queue-4.17/pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch new file mode 100644 index 00000000000..2b988ccb984 --- /dev/null +++ b/queue-4.17/pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch @@ -0,0 +1,56 @@ +From e8440f4bfedc623bee40c84797ac78d9303d0db6 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 25 Apr 2018 14:27:37 -0600 +Subject: PCI: Add ACS quirk for Intel 7th & 8th Gen mobile + +From: Alex Williamson + +commit e8440f4bfedc623bee40c84797ac78d9303d0db6 upstream. + +The specification update indicates these have the same errata for +implementing non-standard ACS capabilities. + +Signed-off-by: Alex Williamson +Signed-off-by: Bjorn Helgaas +CC: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4230,11 +4230,24 @@ static int pci_quirk_qcom_rp_acs(struct + * 0xa290-0xa29f PCI Express Root port #{0-16} + * 0xa2e7-0xa2ee PCI Express Root port #{17-24} + * ++ * Mobile chipsets are also affected, 7th & 8th Generation ++ * Specification update confirms ACS errata 22, status no fix: (7th Generation ++ * Intel Processor Family I/O for U/Y Platforms and 8th Generation Intel ++ * Processor Family I/O for U Quad Core Platforms Specification Update, ++ * August 2017, Revision 002, Document#: 334660-002)[6] ++ * Device IDs from I/O datasheet: (7th Generation Intel Processor Family I/O ++ * for U/Y Platforms and 8th Generation Intel ® Processor Family I/O for U ++ * Quad Core Platforms, Vol 1 of 2, August 2017, Document#: 334658-003)[7] ++ * ++ * 0x9d10-0x9d1b PCI Express Root port #{1-12} ++ * + * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html + * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html + * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html + * [4] http://www.intel.com/content/www/us/en/chipsets/200-series-chipset-pch-spec-update.html + * [5] http://www.intel.com/content/www/us/en/chipsets/200-series-chipset-pch-datasheet-vol-1.html ++ * [6] https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-mobile-u-y-processor-lines-i-o-spec-update.html ++ * [7] https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-mobile-u-y-processor-lines-i-o-datasheet-vol-1.html + */ + static bool pci_quirk_intel_spt_pch_acs_match(struct pci_dev *dev) + { +@@ -4244,6 +4257,7 @@ static bool pci_quirk_intel_spt_pch_acs_ + switch (dev->device) { + case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */ + case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */ ++ case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */ + return true; + } + diff --git a/queue-4.17/pci-hv-make-sure-the-bus-domain-is-really-unique.patch b/queue-4.17/pci-hv-make-sure-the-bus-domain-is-really-unique.patch new file mode 100644 index 00000000000..5a6a3e5a959 --- /dev/null +++ b/queue-4.17/pci-hv-make-sure-the-bus-domain-is-really-unique.patch @@ -0,0 +1,67 @@ +From 29927dfb7f69bcf2ae7fd1cda10997e646a5189c Mon Sep 17 00:00:00 2001 +From: Sridhar Pitchai +Date: Tue, 1 May 2018 17:56:32 +0000 +Subject: PCI: hv: Make sure the bus domain is really unique + +From: Sridhar Pitchai + +commit 29927dfb7f69bcf2ae7fd1cda10997e646a5189c upstream. + +When Linux runs as a guest VM in Hyper-V and Hyper-V adds the virtual PCI +bus to the guest, Hyper-V always provides unique PCI domain. + +commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI domain") +overrode unique domain with the serial number of the first device added to +the virtual PCI bus. + +The reason for that patch was to have a consistent and short name for the +device, but Hyper-V doesn't provide unique serial numbers. Using non-unique +serial numbers as domain IDs leads to duplicate device addresses, which +causes PCI bus registration to fail. + +commit 0c195567a8f6 ("netvsc: transparent VF management") avoids the need +for commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI +domain"). When scripts were used to configure VF devices, the name of +the VF needed to be consistent and short, but with commit 0c195567a8f6 +("netvsc: transparent VF management") all the setup is done in the kernel, +and we do not need to maintain consistent name. + +Revert commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI +domain") so we can reliably support multiple devices being assigned to +a guest. + +Tag the patch for stable kernels containing commit 0c195567a8f6 +("netvsc: transparent VF management"). + +Fixes: 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI domain") +Signed-off-by: Sridhar Pitchai +[lorenzo.pieralisi@arm.com: trimmed commit log] +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org # v4.14+ +Reviewed-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-hyperv.c | 11 ----------- + 1 file changed, 11 deletions(-) + +--- a/drivers/pci/host/pci-hyperv.c ++++ b/drivers/pci/host/pci-hyperv.c +@@ -1596,17 +1596,6 @@ static struct hv_pci_dev *new_pcichild_d + get_pcichild(hpdev, hv_pcidev_ref_childlist); + spin_lock_irqsave(&hbus->device_list_lock, flags); + +- /* +- * When a device is being added to the bus, we set the PCI domain +- * number to be the device serial number, which is non-zero and +- * unique on the same VM. The serial numbers start with 1, and +- * increase by 1 for each device. So device names including this +- * can have shorter names than based on the bus instance UUID. +- * Only the first device serial number is used for domain, so the +- * domain number will not change after the first device is added. +- */ +- if (list_empty(&hbus->children)) +- hbus->sysdata.domain = desc->ser; + list_add_tail(&hpdev->list_entry, &hbus->children); + spin_unlock_irqrestore(&hbus->device_list_lock, flags); + return hpdev; diff --git a/queue-4.17/pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch b/queue-4.17/pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch new file mode 100644 index 00000000000..05fc28260d9 --- /dev/null +++ b/queue-4.17/pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch @@ -0,0 +1,83 @@ +From 13c65840feab8109194f9490c9870587173cb29d Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 23 May 2018 17:14:39 -0500 +Subject: PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume + +From: Mika Westerberg + +commit 13c65840feab8109194f9490c9870587173cb29d upstream. + +After a suspend/resume cycle the Presence Detect or Data Link Layer Status +Changed bits might be set. If we don't clear them those events will not +fire anymore and nothing happens for instance when a device is now +hot-unplugged. + +Fix this by clearing those bits in a newly introduced function +pcie_reenable_notification(). This should be fine because immediately +after, we check if the adapter is still present by reading directly from +the status register. + +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/pciehp.h | 2 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/hotplug/pciehp_hpc.c | 13 ++++++++++++- + 3 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/pci/hotplug/pciehp.h ++++ b/drivers/pci/hotplug/pciehp.h +@@ -121,7 +121,7 @@ struct controller *pcie_init(struct pcie + int pcie_init_notification(struct controller *ctrl); + int pciehp_enable_slot(struct slot *p_slot); + int pciehp_disable_slot(struct slot *p_slot); +-void pcie_enable_notification(struct controller *ctrl); ++void pcie_reenable_notification(struct controller *ctrl); + int pciehp_power_on_slot(struct slot *slot); + void pciehp_power_off_slot(struct slot *slot); + void pciehp_get_power_status(struct slot *slot, u8 *status); +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -283,7 +283,7 @@ static int pciehp_resume(struct pcie_dev + ctrl = get_service_data(dev); + + /* reinitialize the chipset's event detection logic */ +- pcie_enable_notification(ctrl); ++ pcie_reenable_notification(ctrl); + + slot = ctrl->slot; + +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -659,7 +659,7 @@ static irqreturn_t pcie_isr(int irq, voi + return handled; + } + +-void pcie_enable_notification(struct controller *ctrl) ++static void pcie_enable_notification(struct controller *ctrl) + { + u16 cmd, mask; + +@@ -697,6 +697,17 @@ void pcie_enable_notification(struct con + pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd); + } + ++void pcie_reenable_notification(struct controller *ctrl) ++{ ++ /* ++ * Clear both Presence and Data Link Layer Changed to make sure ++ * those events still fire after we have re-enabled them. ++ */ ++ pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA, ++ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC); ++ pcie_enable_notification(ctrl); ++} ++ + static void pcie_disable_notification(struct controller *ctrl) + { + u16 mask; diff --git a/queue-4.17/powerpc-64s-fix-dt-cpu-features-power9-dd2.1-logic.patch b/queue-4.17/powerpc-64s-fix-dt-cpu-features-power9-dd2.1-logic.patch new file mode 100644 index 00000000000..23579221317 --- /dev/null +++ b/queue-4.17/powerpc-64s-fix-dt-cpu-features-power9-dd2.1-logic.patch @@ -0,0 +1,42 @@ +From 749a0278c2177b2d16da5d8b135ba7f940bb4199 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Wed, 13 Jun 2018 23:23:56 +1000 +Subject: powerpc/64s: Fix DT CPU features Power9 DD2.1 logic + +From: Michael Ellerman + +commit 749a0278c2177b2d16da5d8b135ba7f940bb4199 upstream. + +In the device tree CPU features quirk code we want to set +CPU_FTR_POWER9_DD2_1 on all Power9s that aren't DD2.0 or earlier. But +we got the logic wrong and instead set it on all CPUs that aren't +Power9 DD2.0 or earlier, ie. including Power8. + +Fix it by making sure we're on a Power9. This isn't a bug in practice +because the only code that checks the feature is Power9 only to begin +with. But we'll backport it anyway to avoid confusion. + +Fixes: 9e9626ed3a4a ("powerpc/64s: Fix POWER9 DD2.2 and above in DT CPU features") +Cc: stable@vger.kernel.org # v4.17+ +Reported-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Acked-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/dt_cpu_ftrs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/dt_cpu_ftrs.c ++++ b/arch/powerpc/kernel/dt_cpu_ftrs.c +@@ -711,7 +711,8 @@ static __init void cpufeatures_cpu_quirk + cur_cpu_spec->cpu_features |= CPU_FTR_P9_TM_HV_ASSIST; + cur_cpu_spec->cpu_features |= CPU_FTR_P9_TM_XER_SO_BUG; + cur_cpu_spec->cpu_features |= CPU_FTR_POWER9_DD2_1; +- } else /* DD2.1 and up have DD2_1 */ ++ } else if ((version & 0xffff0000) == 0x004e0000) ++ /* DD2.1 and up have DD2_1 */ + cur_cpu_spec->cpu_features |= CPU_FTR_POWER9_DD2_1; + + if ((version & 0xffff0000) == 0x004e0000) { diff --git a/queue-4.17/powerpc-64s-radix-fix-radix_kvm_prefetch_workaround-paca-access-of-not-possible-cpu.patch b/queue-4.17/powerpc-64s-radix-fix-radix_kvm_prefetch_workaround-paca-access-of-not-possible-cpu.patch new file mode 100644 index 00000000000..35450f2a771 --- /dev/null +++ b/queue-4.17/powerpc-64s-radix-fix-radix_kvm_prefetch_workaround-paca-access-of-not-possible-cpu.patch @@ -0,0 +1,35 @@ +From 758380b8155f69b4e2f77f27562f8a7a466749d6 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 12 Jun 2018 19:38:08 +1000 +Subject: powerpc/64s/radix: Fix radix_kvm_prefetch_workaround paca access of not possible CPU + +From: Nicholas Piggin + +commit 758380b8155f69b4e2f77f27562f8a7a466749d6 upstream. + +If possible CPUs are limited (e.g., by kexec), then the kvm prefetch +workaround function can access the paca pointer for a !possible CPU. + +Fixes: d2e60075a3d44 ("powerpc/64: Use array of paca pointers and allocate pacas individually") +Cc: stable@kernel.org +Reported-by: Pridhiviraj Paidipeddi +Tested-by: Pridhiviraj Paidipeddi +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/tlb-radix.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/mm/tlb-radix.c ++++ b/arch/powerpc/mm/tlb-radix.c +@@ -733,6 +733,8 @@ extern void radix_kvm_prefetch_workaroun + for (; sib <= cpu_last_thread_sibling(cpu) && !flush; sib++) { + if (sib == cpu) + continue; ++ if (!cpu_possible(sib)) ++ continue; + if (paca_ptrs[sib]->kvm_hstate.kvm_vcpu) + flush = true; + } diff --git a/queue-4.17/powerpc-e500mc-set-assembler-machine-type-to-e500mc.patch b/queue-4.17/powerpc-e500mc-set-assembler-machine-type-to-e500mc.patch new file mode 100644 index 00000000000..e42de13de3a --- /dev/null +++ b/queue-4.17/powerpc-e500mc-set-assembler-machine-type-to-e500mc.patch @@ -0,0 +1,50 @@ +From 69a8405999aa1c489de4b8d349468f0c2b83f093 Mon Sep 17 00:00:00 2001 +From: Michael Jeanson +Date: Thu, 14 Jun 2018 11:27:42 -0400 +Subject: powerpc/e500mc: Set assembler machine type to e500mc + +From: Michael Jeanson + +commit 69a8405999aa1c489de4b8d349468f0c2b83f093 upstream. + +In binutils 2.26 a new opcode for the "wait" instruction was added for the +POWER9 and has precedence over the one specific to the e500mc. Commit +ebf714ff3756 ("powerpc/e500mc: Add support for the wait instruction in +e500_idle") uses this instruction specifically on the e500mc to work around +an erratum. + +This results in an invalid instruction in idle_e500 when we build for the +e500mc on bintutils >= 2.26 with the default assembler machine type. + +Since multiplatform between e500 and non-e500 is not supported, set the +assembler machine type globaly when CONFIG_PPC_E500MC=y. + +Signed-off-by: Michael Jeanson +Reviewed-by: Mathieu Desnoyers +CC: Benjamin Herrenschmidt +CC: Paul Mackerras +CC: Michael Ellerman +CC: Kumar Gala +CC: Vakul Garg +CC: Scott Wood +CC: Mathieu Desnoyers +CC: linuxppc-dev@lists.ozlabs.org +CC: linux-kernel@vger.kernel.org +CC: stable@vger.kernel.org +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -251,6 +251,7 @@ cpu-as-$(CONFIG_4xx) += -Wa,-m405 + cpu-as-$(CONFIG_ALTIVEC) += $(call as-option,-Wa$(comma)-maltivec) + cpu-as-$(CONFIG_E200) += -Wa,-me200 + cpu-as-$(CONFIG_PPC_BOOK3S_64) += -Wa,-mpower4 ++cpu-as-$(CONFIG_PPC_E500MC) += $(call as-option,-Wa$(comma)-me500mc) + + KBUILD_AFLAGS += $(cpu-as-y) + KBUILD_CFLAGS += $(cpu-as-y) diff --git a/queue-4.17/powerpc-fadump-unregister-fadump-on-kexec-down-path.patch b/queue-4.17/powerpc-fadump-unregister-fadump-on-kexec-down-path.patch new file mode 100644 index 00000000000..33980759a88 --- /dev/null +++ b/queue-4.17/powerpc-fadump-unregister-fadump-on-kexec-down-path.patch @@ -0,0 +1,39 @@ +From 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Fri, 27 Apr 2018 11:53:18 +0530 +Subject: powerpc/fadump: Unregister fadump on kexec down path. + +From: Mahesh Salgaonkar + +commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream. + +Unregister fadump on kexec down path otherwise the fadump registration +in new kexec-ed kernel complains that fadump is already registered. +This makes new kernel to continue using fadump registered by previous +kernel which may lead to invalid vmcore generation. Hence this patch +fixes this issue by un-registering fadump in fadump_cleanup() which is +called during kexec path so that new kernel can register fadump with +new valid values. + +Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.") +Cc: stable@vger.kernel.org # v3.4+ +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/fadump.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -1155,6 +1155,9 @@ void fadump_cleanup(void) + init_fadump_mem_struct(&fdm, + be64_to_cpu(fdm_active->cpu_state_data.destination_address)); + fadump_invalidate_dump(&fdm); ++ } else if (fw_dump.dump_registered) { ++ /* Un-register Firmware-assisted dump if it was registered. */ ++ fadump_unregister_dump(&fdm); + } + } + diff --git a/queue-4.17/powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch b/queue-4.17/powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch new file mode 100644 index 00000000000..cdc7f6b0d23 --- /dev/null +++ b/queue-4.17/powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch @@ -0,0 +1,63 @@ +From 91d06971881f71d945910de128658038513d1b24 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Wed, 30 May 2018 18:48:04 +0530 +Subject: powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch + +From: Aneesh Kumar K.V + +commit 91d06971881f71d945910de128658038513d1b24 upstream. + +Currently we do not have an isync, or any other context synchronizing +instruction prior to the slbie/slbmte in _switch() that updates the +SLB entry for the kernel stack. + +However that is not correct as outlined in the ISA. + +From Power ISA Version 3.0B, Book III, Chapter 11, page 1133: + + "Changing the contents of ... the contents of SLB entries ... can + have the side effect of altering the context in which data + addresses and instruction addresses are interpreted, and in which + instructions are executed and data accesses are performed. + ... + These side effects need not occur in program order, and therefore + may require explicit synchronization by software. + ... + The synchronizing instruction before the context-altering + instruction ensures that all instructions up to and including that + synchronizing instruction are fetched and executed in the context + that existed before the alteration." + +And page 1136: + + "For data accesses, the context synchronizing instruction before the + slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures + that all preceding instructions that access data storage have + completed to a point at which they have reported all exceptions + they will cause." + +We're not aware of any bugs caused by this, but it should be fixed +regardless. + +Add the missing isync when updating kernel stack SLB entry. + +Cc: stable@vger.kernel.org +Signed-off-by: Aneesh Kumar K.V +[mpe: Flesh out change log with more ISA text & explanation] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/entry_64.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -596,6 +596,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEG + * actually hit this code path. + */ + ++ isync + slbie r6 + slbie r6 /* Workaround POWER5 < DD2.1 issue */ + slbmte r7,r0 diff --git a/queue-4.17/powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch b/queue-4.17/powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch new file mode 100644 index 00000000000..5340825cf10 --- /dev/null +++ b/queue-4.17/powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch @@ -0,0 +1,92 @@ +From d2032678e57fc508d7878307badde8f89b632ba3 Mon Sep 17 00:00:00 2001 +From: Anju T Sudhakar +Date: Wed, 16 May 2018 12:05:18 +0530 +Subject: powerpc/perf: Fix memory allocation for core-imc based on num_possible_cpus() + +From: Anju T Sudhakar + +commit d2032678e57fc508d7878307badde8f89b632ba3 upstream. + +Currently memory is allocated for core-imc based on cpu_present_mask, +which has bit 'cpu' set iff cpu is populated. We use (cpu number / threads +per core) as the array index to access the memory. + +Under some circumstances firmware marks a CPU as GUARDed CPU and boot the +system, until cleared of errors, these CPU's are unavailable for all +subsequent boots. GUARDed CPUs are possible but not present from linux +view, so it blows a hole when we assume the max length of our allocation +is driven by our max present cpus, where as one of the cpus might be online +and be beyond the max present cpus, due to the hole. +So (cpu number / threads per core) value bounds the array index and leads +to memory overflow. + +Call trace observed during a guard test: + +Faulting instruction address: 0xc000000000149f1c +cpu 0x69: Vector: 380 (Data Access Out of Range) at [c000003fea303420] + pc:c000000000149f1c: prefetch_freepointer+0x14/0x30 + lr:c00000000014e0f8: __kmalloc+0x1a8/0x1ac + sp:c000003fea3036a0 + msr:9000000000009033 + dar:c9c54b2c91dbf6b7 + current = 0xc000003fea2c0000 + paca = 0xc00000000fddd880 softe: 3 irq_happened: 0x01 + pid = 1, comm = swapper/104 +Linux version 4.16.7-openpower1 (smc@smc-desktop) (gcc version 6.4.0 +(Buildroot 2018.02.1-00006-ga8d1126)) #2 SMP Fri May 4 16:44:54 PDT 2018 +enter ? for help +call trace: + __kmalloc+0x1a8/0x1ac + (unreliable) + init_imc_pmu+0x7f4/0xbf0 + opal_imc_counters_probe+0x3fc/0x43c + platform_drv_probe+0x48/0x80 + driver_probe_device+0x22c/0x308 + __driver_attach+0xa0/0xd8 + bus_for_each_dev+0x88/0xb4 + driver_attach+0x2c/0x40 + bus_add_driver+0x1e8/0x228 + driver_register+0xd0/0x114 + __platform_driver_register+0x50/0x64 + opal_imc_driver_init+0x24/0x38 + do_one_initcall+0x150/0x15c + kernel_init_freeable+0x250/0x254 + kernel_init+0x1c/0x150 + ret_from_kernel_thread+0x5c/0xc8 + +Allocating memory for core-imc based on cpu_possible_mask, which has +bit 'cpu' set iff cpu is populatable, will fix this issue. + +Reported-by: Pridhiviraj Paidipeddi +Signed-off-by: Anju T Sudhakar +Reviewed-by: Balbir Singh +Tested-by: Pridhiviraj Paidipeddi +Fixes: 39a846db1d57 ("powerpc/perf: Add core IMC PMU support") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/perf/imc-pmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/perf/imc-pmu.c ++++ b/arch/powerpc/perf/imc-pmu.c +@@ -1146,7 +1146,7 @@ static int init_nest_pmu_ref(void) + + static void cleanup_all_core_imc_memory(void) + { +- int i, nr_cores = DIV_ROUND_UP(num_present_cpus(), threads_per_core); ++ int i, nr_cores = DIV_ROUND_UP(num_possible_cpus(), threads_per_core); + struct imc_mem_info *ptr = core_imc_pmu->mem_info; + int size = core_imc_pmu->counter_mem_size; + +@@ -1264,7 +1264,7 @@ static int imc_mem_init(struct imc_pmu * + if (!pmu_ptr->pmu.name) + return -ENOMEM; + +- nr_cores = DIV_ROUND_UP(num_present_cpus(), threads_per_core); ++ nr_cores = DIV_ROUND_UP(num_possible_cpus(), threads_per_core); + pmu_ptr->mem_info = kcalloc(nr_cores, sizeof(struct imc_mem_info), + GFP_KERNEL); + diff --git a/queue-4.17/powerpc-pkeys-detach-execute_only-key-on-prot_exec.patch b/queue-4.17/powerpc-pkeys-detach-execute_only-key-on-prot_exec.patch new file mode 100644 index 00000000000..e7008467c87 --- /dev/null +++ b/queue-4.17/powerpc-pkeys-detach-execute_only-key-on-prot_exec.patch @@ -0,0 +1,42 @@ +From eabdb8ca8690eedd461e61ea7780595fbbae8132 Mon Sep 17 00:00:00 2001 +From: Ram Pai +Date: Fri, 4 May 2018 13:01:51 -0700 +Subject: powerpc/pkeys: Detach execute_only key on !PROT_EXEC + +From: Ram Pai + +commit eabdb8ca8690eedd461e61ea7780595fbbae8132 upstream. + +Disassociate the exec_key from a VMA if the VMA permission is not +PROT_EXEC anymore. Otherwise the exec_only key continues to be +associated with the vma, causing unexpected behavior. + +The problem was reported on x86 by Shakeel Butt, which is also +applicable on powerpc. + +Fixes: 5586cf61e108 ("powerpc: introduce execute-only pkey") +Cc: stable@vger.kernel.org # v4.16+ +Reported-by: Shakeel Butt +Signed-off-by: Ram Pai +Reviewed-by: Thiago Jung Bauermann +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pkeys.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/mm/pkeys.c ++++ b/arch/powerpc/mm/pkeys.c +@@ -383,9 +383,9 @@ int __arch_override_mprotect_pkey(struct + { + /* + * If the currently associated pkey is execute-only, but the requested +- * protection requires read or write, move it back to the default pkey. ++ * protection is not execute-only, move it back to the default pkey. + */ +- if (vma_is_pkey_exec_only(vma) && (prot & (PROT_READ | PROT_WRITE))) ++ if (vma_is_pkey_exec_only(vma) && (prot != PROT_EXEC)) + return 0; + + /* diff --git a/queue-4.17/powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch b/queue-4.17/powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch new file mode 100644 index 00000000000..cdfd7301f4c --- /dev/null +++ b/queue-4.17/powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch @@ -0,0 +1,34 @@ +From 75743649064ec0cf5ddd69f240ef23af66dde16e Mon Sep 17 00:00:00 2001 +From: Haren Myneni +Date: Mon, 4 Jun 2018 18:33:38 +1000 +Subject: powerpc/powernv: copy/paste - Mask SO bit in CR + +From: Haren Myneni + +commit 75743649064ec0cf5ddd69f240ef23af66dde16e upstream. + +NX can set the 3rd bit in CR register for XER[SO] (Summary overflow) +which is not related to paste request. The current paste function +returns failure for a successful request when this bit is set. So mask +this bit and check the proper return status. + +Fixes: 2392c8c8c045 ("powerpc/powernv/vas: Define copy/paste interfaces") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Haren Myneni +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/copy-paste.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/copy-paste.h ++++ b/arch/powerpc/platforms/powernv/copy-paste.h +@@ -42,5 +42,6 @@ static inline int vas_paste(void *paste_ + : "b" (offset), "b" (paste_address) + : "memory", "cr0"); + +- return (cr >> CR0_SHIFT) & CR0_MASK; ++ /* We mask with 0xE to ignore SO */ ++ return (cr >> CR0_SHIFT) & 0xE; + } diff --git a/queue-4.17/powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch b/queue-4.17/powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch new file mode 100644 index 00000000000..994fb214af9 --- /dev/null +++ b/queue-4.17/powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch @@ -0,0 +1,48 @@ +From ac9816dcbab53c57bcf1d7b15370b08f1e284318 Mon Sep 17 00:00:00 2001 +From: Akshay Adiga +Date: Wed, 16 May 2018 17:32:14 +0530 +Subject: powerpc/powernv/cpuidle: Init all present cpus for deep states + +From: Akshay Adiga + +commit ac9816dcbab53c57bcf1d7b15370b08f1e284318 upstream. + +Init all present cpus for deep states instead of "all possible" cpus. +Init fails if a possible cpu is guarded. Resulting in making only +non-deep states available for cpuidle/hotplug. + +Stewart says, this means that for single threaded workloads, if you +guard out a CPU core you'll not get WoF (Workload Optimised +Frequency), which means that performance goes down when you wouldn't +expect it to. + +Fixes: 77b54e9f213f ("powernv/powerpc: Add winkle support for offline cpus") +Cc: stable@vger.kernel.org # v3.19+ +Signed-off-by: Akshay Adiga +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/idle.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/powernv/idle.c ++++ b/arch/powerpc/platforms/powernv/idle.c +@@ -79,7 +79,7 @@ static int pnv_save_sprs_for_deep_states + uint64_t msr_val = MSR_IDLE; + uint64_t psscr_val = pnv_deepest_stop_psscr_val; + +- for_each_possible_cpu(cpu) { ++ for_each_present_cpu(cpu) { + uint64_t pir = get_hard_smp_processor_id(cpu); + uint64_t hsprg0_val = (uint64_t)paca_ptrs[cpu]; + +@@ -814,7 +814,7 @@ static int __init pnv_init_idle_states(v + int cpu; + + pr_info("powernv: idle: Saving PACA pointers of all CPUs in their thread sibling PACA\n"); +- for_each_possible_cpu(cpu) { ++ for_each_present_cpu(cpu) { + int base_cpu = cpu_first_thread_sibling(cpu); + int idx = cpu_thread_in_core(cpu); + int i; diff --git a/queue-4.17/powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch b/queue-4.17/powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch new file mode 100644 index 00000000000..d94376cdbe9 --- /dev/null +++ b/queue-4.17/powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch @@ -0,0 +1,45 @@ +From 98fd72fe82527fd26618062b60cfd329451f2329 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Wed, 30 May 2018 19:22:50 +1000 +Subject: powerpc/powernv/ioda2: Remove redundant free of TCE pages + +From: Alexey Kardashevskiy + +commit 98fd72fe82527fd26618062b60cfd329451f2329 upstream. + +When IODA2 creates a PE, it creates an IOMMU table with it_ops::free +set to pnv_ioda2_table_free() which calls pnv_pci_ioda2_table_free_pages(). + +Since iommu_tce_table_put() calls it_ops::free when the last reference +to the table is released, explicit call to pnv_pci_ioda2_table_free_pages() +is not needed so let's remove it. + +This should fix double free in the case of PCI hotuplug as +pnv_pci_ioda2_table_free_pages() does not reset neither +iommu_table::it_base nor ::it_size. + +This was not exposed by SRIOV as it uses different code path via +pnv_pcibios_sriov_disable(). + +IODA1 does not inialize it_ops::free so it does not have this issue. + +Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE") +Cc: stable@vger.kernel.org # v4.8+ +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -3642,7 +3642,6 @@ static void pnv_pci_ioda2_release_pe_dma + WARN_ON(pe->table_group.group); + } + +- pnv_pci_ioda2_table_free_pages(tbl); + iommu_tce_table_put(tbl); + } + diff --git a/queue-4.17/powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch b/queue-4.17/powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch new file mode 100644 index 00000000000..93395331c52 --- /dev/null +++ b/queue-4.17/powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch @@ -0,0 +1,41 @@ +From cd6ef7eebf171bfcba7dc2df719c2a4958775040 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Thu, 17 May 2018 15:37:14 +1000 +Subject: powerpc/ptrace: Fix enforcement of DAWR constraints + +From: Michael Neuling + +commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream. + +Back when we first introduced the DAWR, in commit 4ae7ebe9522a +("powerpc: Change hardware breakpoint to allow longer ranges"), we +screwed up the constraint making it a 1024 byte boundary rather than a +512. This makes the check overly permissive. Fortunately GDB is the +only real user and it always did they right thing, so we never +noticed. + +This fixes the constraint to 512 bytes. + +Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges") +Cc: stable@vger.kernel.org # v3.9+ +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/hw_breakpoint.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/hw_breakpoint.c ++++ b/arch/powerpc/kernel/hw_breakpoint.c +@@ -178,8 +178,8 @@ int arch_validate_hwbkpt_settings(struct + if (cpu_has_feature(CPU_FTR_DAWR)) { + length_max = 512 ; /* 64 doublewords */ + /* DAWR region can't cross 512 boundary */ +- if ((bp->attr.bp_addr >> 10) != +- ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10)) ++ if ((bp->attr.bp_addr >> 9) != ++ ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9)) + return -EINVAL; + } + if (info->len > diff --git a/queue-4.17/powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch b/queue-4.17/powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch new file mode 100644 index 00000000000..91fff25ce7b --- /dev/null +++ b/queue-4.17/powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch @@ -0,0 +1,42 @@ +From 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Thu, 17 May 2018 15:37:15 +1000 +Subject: powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG + +From: Michael Neuling + +commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream. + +In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when +validating DAWR region end") we fixed setting the DAWR end point to +its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke +PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint. + +PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to +zero (memset() in hw_breakpoint_init()). This worked with +arch_validate_hwbkpt_settings() before the above patch was applied but +is now broken if the breakpoint is 512byte aligned. + +This sets the length of the breakpoint to 8 bytes when using +PTRACE_SET_DEBUGREG. + +Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end") +Cc: stable@vger.kernel.org # v3.11+ +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/ptrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -2443,6 +2443,7 @@ static int ptrace_set_debugreg(struct ta + /* Create a new breakpoint request if one doesn't exist already */ + hw_breakpoint_init(&attr); + attr.bp_addr = hw_brk.address; ++ attr.bp_len = 8; + arch_bp_generic_fields(hw_brk.type, + &attr.bp_type); + diff --git a/queue-4.17/printk-fix-possible-reuse-of-va_list-variable.patch b/queue-4.17/printk-fix-possible-reuse-of-va_list-variable.patch new file mode 100644 index 00000000000..0b6c0aad180 --- /dev/null +++ b/queue-4.17/printk-fix-possible-reuse-of-va_list-variable.patch @@ -0,0 +1,52 @@ +From 988a35f8da1dec5a8cd2788054d1e717be61bf25 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 11 May 2018 19:54:19 +0900 +Subject: printk: fix possible reuse of va_list variable + +From: Tetsuo Handa + +commit 988a35f8da1dec5a8cd2788054d1e717be61bf25 upstream. + +I noticed that there is a possibility that printk_safe_log_store() causes +kernel oops because "args" parameter is passed to vsnprintf() again when +atomic_cmpxchg() detected that we raced. Fix this by using va_copy(). + +Link: http://lkml.kernel.org/r/201805112002.GIF21216.OFVHFOMLJtQFSO@I-love.SAKURA.ne.jp +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: dvyukov@google.com +Cc: syzkaller@googlegroups.com +Cc: fengguang.wu@intel.com +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Tetsuo Handa +Fixes: 42a0bb3f71383b45 ("printk/nmi: generic solution for safe printk in NMI") +Cc: 4.7+ # v4.7+ +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk_safe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/printk/printk_safe.c ++++ b/kernel/printk/printk_safe.c +@@ -82,6 +82,7 @@ static __printf(2, 0) int printk_safe_lo + { + int add; + size_t len; ++ va_list ap; + + again: + len = atomic_read(&s->len); +@@ -100,7 +101,9 @@ again: + if (!len) + smp_rmb(); + +- add = vscnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, args); ++ va_copy(ap, args); ++ add = vscnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, ap); ++ va_end(ap); + if (!add) + return 0; + diff --git a/queue-4.17/rdma-core-save-kernel-caller-name-when-creating-cq-using-ib_create_cq.patch b/queue-4.17/rdma-core-save-kernel-caller-name-when-creating-cq-using-ib_create_cq.patch new file mode 100644 index 00000000000..efd0a3ef88e --- /dev/null +++ b/queue-4.17/rdma-core-save-kernel-caller-name-when-creating-cq-using-ib_create_cq.patch @@ -0,0 +1,121 @@ +From 7350cdd0257e73a37df57253fb9decd8effacd37 Mon Sep 17 00:00:00 2001 +From: Bharat Potnuri +Date: Fri, 15 Jun 2018 20:52:33 +0530 +Subject: RDMA/core: Save kernel caller name when creating CQ using ib_create_cq() + +From: Bharat Potnuri + +commit 7350cdd0257e73a37df57253fb9decd8effacd37 upstream. + +Few kernel applications like SCST-iSER create CQ using ib_create_cq(), +where accessing CQ structures using rdma restrack tool leads to below NULL +pointer dereference. This patch saves caller kernel module name similar to +ib_alloc_cq(). + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [] skip_spaces+0x30/0x30 +PGD 738bac067 PUD 8533f0067 PMD 0 +Oops: 0000 [#1] SMP +R10: ffff88017fc03300 R11: 0000000000000246 R12: 0000000000000000 +R13: ffff88082fa5a668 R14: ffff88017475a000 R15: 0000000000000000 +FS: 00002b32726582c0(0000) GS:ffff88087fc40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000008491a1000 CR4: 00000000003607e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + [] ? fill_res_name_pid+0x7c/0x90 [ib_core] + [] fill_res_cq_entry+0xef/0x170 [ib_core] + [] res_get_common_dumpit+0x3c4/0x480 [ib_core] + [] nldev_res_get_cq_dumpit+0x13/0x20 [ib_core] + [] netlink_dump+0x117/0x2e0 + [] __netlink_dump_start+0x1ab/0x230 + [] ibnl_rcv_msg+0x11d/0x1f0 [ib_core] + [] ? nldev_res_get_mr_dumpit+0x20/0x20 [ib_core] + [] ? rdma_nl_multicast+0x30/0x30 [ib_core] + [] netlink_rcv_skb+0xa9/0xc0 + [] ibnl_rcv+0x98/0xb0 [ib_core] + [] netlink_unicast+0xf2/0x1b0 + [] netlink_sendmsg+0x31f/0x6a0 + [] sock_sendmsg+0xb0/0xf0 + [] ? _raw_spin_unlock_bh+0x1e/0x20 + [] ? release_sock+0x118/0x170 + [] SYSC_sendto+0x121/0x1c0 + [] ? sock_alloc_file+0xa0/0x140 + [] ? __fd_install+0x25/0x60 + [] SyS_sendto+0xe/0x10 + [] system_call_fastpath+0x16/0x1b +RIP [] skip_spaces+0x30/0x30 +RSP +CR2: 0000000000000000 + +Cc: +Fixes: f66c8ba4c9fa ("RDMA/core: Save kernel caller name when creating PD and CQ objects") +Reviewed-by: Steve Wise +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/verbs.c | 14 ++++++++------ + include/rdma/ib_verbs.h | 13 ++++++++----- + 2 files changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -1562,11 +1562,12 @@ EXPORT_SYMBOL(ib_destroy_qp); + + /* Completion queues */ + +-struct ib_cq *ib_create_cq(struct ib_device *device, +- ib_comp_handler comp_handler, +- void (*event_handler)(struct ib_event *, void *), +- void *cq_context, +- const struct ib_cq_init_attr *cq_attr) ++struct ib_cq *__ib_create_cq(struct ib_device *device, ++ ib_comp_handler comp_handler, ++ void (*event_handler)(struct ib_event *, void *), ++ void *cq_context, ++ const struct ib_cq_init_attr *cq_attr, ++ const char *caller) + { + struct ib_cq *cq; + +@@ -1580,12 +1581,13 @@ struct ib_cq *ib_create_cq(struct ib_dev + cq->cq_context = cq_context; + atomic_set(&cq->usecnt, 0); + cq->res.type = RDMA_RESTRACK_CQ; ++ cq->res.kern_name = caller; + rdma_restrack_add(&cq->res); + } + + return cq; + } +-EXPORT_SYMBOL(ib_create_cq); ++EXPORT_SYMBOL(__ib_create_cq); + + int rdma_set_cq_moderation(struct ib_cq *cq, u16 cq_count, u16 cq_period) + { +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -3310,11 +3310,14 @@ int ib_process_cq_direct(struct ib_cq *c + * + * Users can examine the cq structure to determine the actual CQ size. + */ +-struct ib_cq *ib_create_cq(struct ib_device *device, +- ib_comp_handler comp_handler, +- void (*event_handler)(struct ib_event *, void *), +- void *cq_context, +- const struct ib_cq_init_attr *cq_attr); ++struct ib_cq *__ib_create_cq(struct ib_device *device, ++ ib_comp_handler comp_handler, ++ void (*event_handler)(struct ib_event *, void *), ++ void *cq_context, ++ const struct ib_cq_init_attr *cq_attr, ++ const char *caller); ++#define ib_create_cq(device, cmp_hndlr, evt_hndlr, cq_ctxt, cq_attr) \ ++ __ib_create_cq((device), (cmp_hndlr), (evt_hndlr), (cq_ctxt), (cq_attr), KBUILD_MODNAME) + + /** + * ib_resize_cq - Modifies the capacity of the CQ. diff --git a/queue-4.17/rdma-mlx4-discard-unknown-sqp-work-requests.patch b/queue-4.17/rdma-mlx4-discard-unknown-sqp-work-requests.patch new file mode 100644 index 00000000000..4a2c83f0d64 --- /dev/null +++ b/queue-4.17/rdma-mlx4-discard-unknown-sqp-work-requests.patch @@ -0,0 +1,32 @@ +From 6b1ca7ece15e94251d1d0d919f813943e4a58059 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 29 May 2018 14:56:14 +0300 +Subject: RDMA/mlx4: Discard unknown SQP work requests + +From: Leon Romanovsky + +commit 6b1ca7ece15e94251d1d0d919f813943e4a58059 upstream. + +There is no need to crash the machine if unknown work request was +received in SQP MAD. + +Cc: # 3.6 +Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/mad.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1934,7 +1934,6 @@ static void mlx4_ib_sqp_comp_worker(stru + "buf:%lld\n", wc.wr_id); + break; + default: +- BUG_ON(1); + break; + } + } else { diff --git a/queue-4.17/series b/queue-4.17/series index b97cec90436..13cb43de382 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -33,3 +33,85 @@ clk-renesas-cpg-mssr-stop-using-printk-format-pcr.patch lib-vsprintf-remove-atomic-unsafe-support-for-pcr.patch ftrace-selftest-have-the-reset_trigger-code-be-a-bit-more-careful.patch mips-ftrace-fix-static-function-graph-tracing.patch +branch-check-fix-long-int-truncation-when-profiling-branches.patch +ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch +bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch +printk-fix-possible-reuse-of-va_list-variable.patch +fuse-fix-congested-state-leak-on-aborted-connections.patch +fuse-atomic_o_trunc-should-truncate-pagecache.patch +fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch +fuse-fix-control-dir-setup-and-teardown.patch +powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch +powerpc-pkeys-detach-execute_only-key-on-prot_exec.patch +powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch +powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch +powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch +powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch +powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch +powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch +cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch +powerpc-fadump-unregister-fadump-on-kexec-down-path.patch +libnvdimm-pmem-do-not-flush-power-fail-protected-cpu-caches.patch +soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch +powerpc-64s-radix-fix-radix_kvm_prefetch_workaround-paca-access-of-not-possible-cpu.patch +powerpc-e500mc-set-assembler-machine-type-to-e500mc.patch +powerpc-64s-fix-dt-cpu-features-power9-dd2.1-logic.patch +cxl-configure-psl-to-not-use-apc-virtual-machines.patch +cxl-disable-prefault_mode-in-radix-mode.patch +arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch +arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vdd-cpux-voltage.patch +arm-dts-sun8i-h3-fix-all-h3-cc-h3-ver-vcc-1v2-regulator-voltage.patch +arm-dts-fix-spi-node-for-arria10.patch +arm-dts-socfpga-fix-nand-controller-node-compatible.patch +arm-dts-socfpga-fix-nand-controller-clock-supply.patch +arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch +hwrng-core-always-drop-the-rng-in-hwrng_unregister.patch +softirq-reorder-trace_softirqs_on-to-prevent-lockdep-splat.patch +arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch +crypto-arm64-aes-blk-fix-and-move-skcipher_walk_done-out-of-kernel_neon_begin-_end.patch +arm64-kpti-use-early_param-for-kpti-command-line-option.patch +arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch +arm64-dts-marvell-fix-cp110-icu-node-size.patch +arm64-dts-stratix10-fix-spi-nodes-for-stratix10.patch +arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch +arm64-dts-meson-gx-fix-atf-reserved-memory-region.patch +of-overlay-validate-offset-from-property-fixups.patch +of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch +of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch +tpm-fix-use-after-free-in-tpm2_load_context.patch +tpm-fix-race-condition-in-tpm_common_write.patch +efi-libstub-tpm-initialize-efi_physical_addr_t-vars-to-zero-for-mixed-mode.patch +ib-qib-fix-dma-api-warning-with-debug-kernel.patch +ib-hfi1-qib-add-handling-of-kernel-restart.patch +ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch +ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch +ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch +ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch +ib-isert-fix-t10-pi-check-mask-setting.patch +ib-hfi1-fix-fault-injection-init-exit-issues.patch +ib-hfi1-reorder-incorrect-send-context-disable.patch +ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch +ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch +ib-uverbs-fix-ordering-of-ucontext-check-in-ib_uverbs_write.patch +rdma-mlx4-discard-unknown-sqp-work-requests.patch +xprtrdma-return-enobufs-when-no-pages-are-available.patch +rdma-core-save-kernel-caller-name-when-creating-cq-using-ib_create_cq.patch +mtd-rawnand-do-not-check-fail-bit-when-executing-a-set_features-op.patch +mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch +mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch +mtd-rawnand-denali_dt-set-clk_x_rate-to-200-mhz-unconditionally.patch +mtd-rawnand-fix-return-value-check-for-bad-block-status.patch +mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch +mtd-rawnand-micron-add-onfi_feature_on_die_ecc-to-supported-features.patch +mtd-rawnand-all-ac-chips-have-a-broken-get_features-timings.patch +mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch +mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch +mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch +mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch +mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch +clk-aspeed-fix-reset-bits-for-pci-vga-and-peci.patch +pci-hv-make-sure-the-bus-domain-is-really-unique.patch +pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch +pci-add-acs-quirk-for-intel-300-series.patch +pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch +pci-account-for-all-bridges-on-bus-when-distributing-bus-numbers.patch diff --git a/queue-4.17/soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch b/queue-4.17/soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch new file mode 100644 index 00000000000..7a33ea807ff --- /dev/null +++ b/queue-4.17/soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch @@ -0,0 +1,37 @@ +From 9e59c5f66c624b43c766a9fe3b2430e0e976bf0e Mon Sep 17 00:00:00 2001 +From: Finley Xiao +Date: Mon, 14 May 2018 11:29:38 +0800 +Subject: soc: rockchip: power-domain: Fix wrong value when power up pd with writemask + +From: Finley Xiao + +commit 9e59c5f66c624b43c766a9fe3b2430e0e976bf0e upstream. + +Solve the pd could only ever turn off but never turn them on again, +if the pd registers have the writemask bits. + +So far this affects the rk3328 only. + +Fixes: 79bb17ce8edb ("soc: rockchip: power-domain: Support domain control in hiword-registers") +Cc: stable@vger.kernel.org +Signed-off-by: Finley Xiao +Signed-off-by: Elaine Zhang +Reviewed-by: Ulf Hansson +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/soc/rockchip/pm_domains.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/rockchip/pm_domains.c ++++ b/drivers/soc/rockchip/pm_domains.c +@@ -255,7 +255,7 @@ static void rockchip_do_pmu_set_power_do + return; + else if (pd->info->pwr_w_mask) + regmap_write(pmu->regmap, pmu->info->pwr_offset, +- on ? pd->info->pwr_mask : ++ on ? pd->info->pwr_w_mask : + (pd->info->pwr_mask | pd->info->pwr_w_mask)); + else + regmap_update_bits(pmu->regmap, pmu->info->pwr_offset, diff --git a/queue-4.17/softirq-reorder-trace_softirqs_on-to-prevent-lockdep-splat.patch b/queue-4.17/softirq-reorder-trace_softirqs_on-to-prevent-lockdep-splat.patch new file mode 100644 index 00000000000..dded2ae9895 --- /dev/null +++ b/queue-4.17/softirq-reorder-trace_softirqs_on-to-prevent-lockdep-splat.patch @@ -0,0 +1,97 @@ +From 1a63dcd8765bc8680481dc2f9acf6ef13cee6d27 Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Thu, 7 Jun 2018 13:11:43 -0700 +Subject: softirq: Reorder trace_softirqs_on to prevent lockdep splat + +From: Joel Fernandes (Google) + +commit 1a63dcd8765bc8680481dc2f9acf6ef13cee6d27 upstream. + +I'm able to reproduce a lockdep splat with config options: +CONFIG_PROVE_LOCKING=y, +CONFIG_DEBUG_LOCK_ALLOC=y and +CONFIG_PREEMPTIRQ_EVENTS=y + +$ echo 1 > /d/tracing/events/preemptirq/preempt_enable/enable + +[ 26.112609] DEBUG_LOCKS_WARN_ON(current->softirqs_enabled) +[ 26.112636] WARNING: CPU: 0 PID: 118 at kernel/locking/lockdep.c:3854 +[...] +[ 26.144229] Call Trace: +[ 26.144926] +[ 26.145506] lock_acquire+0x55/0x1b0 +[ 26.146499] ? __do_softirq+0x46f/0x4d9 +[ 26.147571] ? __do_softirq+0x46f/0x4d9 +[ 26.148646] trace_preempt_on+0x8f/0x240 +[ 26.149744] ? trace_preempt_on+0x4d/0x240 +[ 26.150862] ? __do_softirq+0x46f/0x4d9 +[ 26.151930] preempt_count_sub+0x18a/0x1a0 +[ 26.152985] __do_softirq+0x46f/0x4d9 +[ 26.153937] irq_exit+0x68/0xe0 +[ 26.154755] smp_apic_timer_interrupt+0x271/0x280 +[ 26.156056] apic_timer_interrupt+0xf/0x20 +[ 26.157105] + +The issue was this: + +preempt_count = 1 << SOFTIRQ_SHIFT + + __local_bh_enable(cnt = 1 << SOFTIRQ_SHIFT) { + if (softirq_count() == (cnt && SOFTIRQ_MASK)) { + trace_softirqs_on() { + current->softirqs_enabled = 1; + } + } + preempt_count_sub(cnt) { + trace_preempt_on() { + tracepoint() { + rcu_read_lock_sched() { + // jumps into lockdep + +Where preempt_count still has softirqs disabled, but +current->softirqs_enabled is true, and we get a splat. + +Link: http://lkml.kernel.org/r/20180607201143.247775-1-joel@joelfernandes.org + +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Tom Zanussi +Cc: Namhyung Kim +Cc: Thomas Glexiner +Cc: Boqun Feng +Cc: Paul McKenney +Cc: Masami Hiramatsu +Cc: Todd Kjos +Cc: Erick Reyes +Cc: Julia Cartwright +Cc: Byungchul Park +Cc: stable@vger.kernel.org +Reviewed-by: Steven Rostedt (VMware) +Fixes: d59158162e032 ("tracing: Add support for preempt and irq enable/disable events") +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/softirq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -139,9 +139,13 @@ static void __local_bh_enable(unsigned i + { + lockdep_assert_irqs_disabled(); + ++ if (preempt_count() == cnt) ++ trace_preempt_on(CALLER_ADDR0, get_lock_parent_ip()); ++ + if (softirq_count() == (cnt & SOFTIRQ_MASK)) + trace_softirqs_on(_RET_IP_); +- preempt_count_sub(cnt); ++ ++ __preempt_count_sub(cnt); + } + + /* diff --git a/queue-4.17/tpm-fix-race-condition-in-tpm_common_write.patch b/queue-4.17/tpm-fix-race-condition-in-tpm_common_write.patch new file mode 100644 index 00000000000..2438f9505f6 --- /dev/null +++ b/queue-4.17/tpm-fix-race-condition-in-tpm_common_write.patch @@ -0,0 +1,139 @@ +From 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Tue, 22 May 2018 14:37:18 -0700 +Subject: tpm: fix race condition in tpm_common_write() + +From: Tadeusz Struk + +commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream. + +There is a race condition in tpm_common_write function allowing +two threads on the same /dev/tpm, or two different applications +on the same /dev/tpmrm to overwrite each other commands/responses. +Fixed this by taking the priv->buffer_mutex early in the function. + +Also converted the priv->data_pending from atomic to a regular size_t +type. There is no need for it to be atomic since it is only touched +under the protection of the priv->buffer_mutex. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Tadeusz Struk +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-dev-common.c | 40 +++++++++++++++++--------------------- + drivers/char/tpm/tpm-dev.h | 2 - + 2 files changed, 19 insertions(+), 23 deletions(-) + +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -37,7 +37,7 @@ static void timeout_work(struct work_str + struct file_priv *priv = container_of(work, struct file_priv, work); + + mutex_lock(&priv->buffer_mutex); +- atomic_set(&priv->data_pending, 0); ++ priv->data_pending = 0; + memset(priv->data_buffer, 0, sizeof(priv->data_buffer)); + mutex_unlock(&priv->buffer_mutex); + } +@@ -46,7 +46,6 @@ void tpm_common_open(struct file *file, + struct file_priv *priv) + { + priv->chip = chip; +- atomic_set(&priv->data_pending, 0); + mutex_init(&priv->buffer_mutex); + timer_setup(&priv->user_read_timer, user_reader_timeout, 0); + INIT_WORK(&priv->work, timeout_work); +@@ -58,29 +57,24 @@ ssize_t tpm_common_read(struct file *fil + size_t size, loff_t *off) + { + struct file_priv *priv = file->private_data; +- ssize_t ret_size; +- ssize_t orig_ret_size; ++ ssize_t ret_size = 0; + int rc; + + del_singleshot_timer_sync(&priv->user_read_timer); + flush_work(&priv->work); +- ret_size = atomic_read(&priv->data_pending); +- if (ret_size > 0) { /* relay data */ +- orig_ret_size = ret_size; +- if (size < ret_size) +- ret_size = size; ++ mutex_lock(&priv->buffer_mutex); + +- mutex_lock(&priv->buffer_mutex); ++ if (priv->data_pending) { ++ ret_size = min_t(ssize_t, size, priv->data_pending); + rc = copy_to_user(buf, priv->data_buffer, ret_size); +- memset(priv->data_buffer, 0, orig_ret_size); ++ memset(priv->data_buffer, 0, priv->data_pending); + if (rc) + ret_size = -EFAULT; + +- mutex_unlock(&priv->buffer_mutex); ++ priv->data_pending = 0; + } + +- atomic_set(&priv->data_pending, 0); +- ++ mutex_unlock(&priv->buffer_mutex); + return ret_size; + } + +@@ -91,17 +85,19 @@ ssize_t tpm_common_write(struct file *fi + size_t in_size = size; + ssize_t out_size; + ++ if (in_size > TPM_BUFSIZE) ++ return -E2BIG; ++ ++ mutex_lock(&priv->buffer_mutex); ++ + /* Cannot perform a write until the read has cleared either via + * tpm_read or a user_read_timer timeout. This also prevents split + * buffered writes from blocking here. + */ +- if (atomic_read(&priv->data_pending) != 0) ++ if (priv->data_pending != 0) { ++ mutex_unlock(&priv->buffer_mutex); + return -EBUSY; +- +- if (in_size > TPM_BUFSIZE) +- return -E2BIG; +- +- mutex_lock(&priv->buffer_mutex); ++ } + + if (copy_from_user + (priv->data_buffer, (void __user *) buf, in_size)) { +@@ -132,7 +128,7 @@ ssize_t tpm_common_write(struct file *fi + return out_size; + } + +- atomic_set(&priv->data_pending, out_size); ++ priv->data_pending = out_size; + mutex_unlock(&priv->buffer_mutex); + + /* Set a timeout by which the reader must come claim the result */ +@@ -149,5 +145,5 @@ void tpm_common_release(struct file *fil + del_singleshot_timer_sync(&priv->user_read_timer); + flush_work(&priv->work); + file->private_data = NULL; +- atomic_set(&priv->data_pending, 0); ++ priv->data_pending = 0; + } +--- a/drivers/char/tpm/tpm-dev.h ++++ b/drivers/char/tpm/tpm-dev.h +@@ -8,7 +8,7 @@ struct file_priv { + struct tpm_chip *chip; + + /* Data passed to and from the tpm via the read/write calls */ +- atomic_t data_pending; ++ size_t data_pending; + struct mutex buffer_mutex; + + struct timer_list user_read_timer; /* user needs to claim result */ diff --git a/queue-4.17/tpm-fix-use-after-free-in-tpm2_load_context.patch b/queue-4.17/tpm-fix-use-after-free-in-tpm2_load_context.patch new file mode 100644 index 00000000000..eca2541a51f --- /dev/null +++ b/queue-4.17/tpm-fix-use-after-free-in-tpm2_load_context.patch @@ -0,0 +1,36 @@ +From 8c81c24758ffbf17cf06c6835d361ffa57be2f0e Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Wed, 9 May 2018 11:55:35 -0700 +Subject: tpm: fix use after free in tpm2_load_context() + +From: Tadeusz Struk + +commit 8c81c24758ffbf17cf06c6835d361ffa57be2f0e upstream. + +If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0 +then we have use after free in line 114 and double free in 117. + +Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code") +Cc: stable@vger.kernel.org +Signed-off-by: Tadeusz Struk +Reviewed-by: Jarkko Sakkinen +Signed-off--by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm2-space.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_ + * TPM_RC_REFERENCE_H0 means the session has been + * flushed outside the space + */ +- rc = -ENOENT; ++ *handle = 0; + tpm_buf_destroy(&tbuf); ++ return -ENOENT; + } else if (rc > 0) { + dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", + __func__, rc); diff --git a/queue-4.17/xprtrdma-return-enobufs-when-no-pages-are-available.patch b/queue-4.17/xprtrdma-return-enobufs-when-no-pages-are-available.patch new file mode 100644 index 00000000000..7ef7b472e9c --- /dev/null +++ b/queue-4.17/xprtrdma-return-enobufs-when-no-pages-are-available.patch @@ -0,0 +1,35 @@ +From a8f688ec437dc2045cc8f0c89fe877d5803850da Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 4 May 2018 15:35:46 -0400 +Subject: xprtrdma: Return -ENOBUFS when no pages are available + +From: Chuck Lever + +commit a8f688ec437dc2045cc8f0c89fe877d5803850da upstream. + +The use of -EAGAIN in rpcrdma_convert_iovs() is a latent bug: the +transport never calls xprt_write_space() when more pages become +available. -ENOBUFS will trigger the correct "delay briefly and call +again" logic. + +Fixes: 7a89f9c626e3 ("xprtrdma: Honor ->send_request API contract") +Signed-off-by: Chuck Lever +Cc: stable@vger.kernel.org # 4.8+ +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/rpc_rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/xprtrdma/rpc_rdma.c ++++ b/net/sunrpc/xprtrdma/rpc_rdma.c +@@ -230,7 +230,7 @@ rpcrdma_convert_iovs(struct rpcrdma_xprt + */ + *ppages = alloc_page(GFP_ATOMIC); + if (!*ppages) +- return -EAGAIN; ++ return -ENOBUFS; + } + seg->mr_page = *ppages; + seg->mr_offset = (char *)page_base; -- 2.47.3